Skip to end of metadataGo to start of metadata
- Moonshot: Commando Mac Os Update
- Moonshot: Commando Mac Os Download
- Moonshot: Commando Mac Os X
- Moonshot: Commando Mac Os Catalina
However, locations like /usr/local are open, and with newer versions of the OS, expect this to change. For the purposes of this set of instructions, we recommend the following: For all the Moonshot dependencies, including Moonshot itself, the -prefix parameter should be set to /usr/local/moonshot. Once you've determined which device you would like to use, you can execute the SCREEN command to start the serial terminal session on your Mac. Remember to specify the speed (baud rate) after the device name. Screen /dev/tty.usbserial-FTT3JMUZ 9600. Once you've connected, you can use the terminal as you normally would. Note that on some older versions of Mac OS X, you may have to replace the command./configure with./configure CPP=/usr/bin/cpp. Also, on some newer Mac OS X versions, the libpcap version of the library provided by Apple may be too old. Mac OS X comes with an easy-to-use application, called Disk Utility, that allows users to verify and repair hard disks using a graphical user interface and it is recommended for most Mac users that are not comfortable using the terminal. However, this can also be performed using the command-line.
The Moonshot source code is available from our GIT repository and it all can be built by hand relatively easily, assuming you have all of the prerequisite packages installed. This page has instructions for building the software itself.
Contents
macOS versions
These instructions have been tested on macOS 10.13 High Sierra and later.
1.1. Requirements
To build all of the Moonshot components, you need various packages installed. To install all of these, see below.
1.1.1. Get Xcode for macOS
To get all of the requirements on your macOS platform, you will need to install Xcode and the Xcode command-line extensions:
Install Xcode from the Mac App Store.
Open a Terminal, then install the Xcode Command Line Tools. You will be prompted with a dialog to install the Command Line Tools after a 130MB download.
If you have never launched Xcode before, do so at least once, or run the following command in your Terminal window.
1.1.2. Get Packages for macOS
The Moonshot installer is built using Packages (http://s.sudre.free.fr/Software/Packages/about.html). Install it before trying to build the installer.
1.1.3. Install the GNU tools for macOS
You will need to install several GNU tools:
Install GNU m4:
Install GNU Autoconf:
Install GNU Automake:
Install GNU Libtool:
Install pkg-config
1.1.4. Install JSON from CPAN
Update CPAN and install JSON:
Just like on Linux, build and installation locations matter, with one vital difference. On macOS, the /usr
tree itself is locked down and inaccessible, even for the privileged (root) user. However, locations like /usr/local
are open, and with newer versions of the OS, expect this to change.
For the purposes of this set of instructions, we recommend the following:
- For all the Moonshot dependencies, including Moonshot itself, the
--prefix
parameter should be set to/usr/local/moonshot
.
If you decide to change this location, you should appropriately change the locations in the commands in Sections 3 and 5 to your preference. - We recommend that you build all libraries with the
-rpath
parameter enabled for all libraries to avoid any clashes with other libraries (such as the older version of OpenSSL that macOS ships for compatibility reasons). We have been assured by macOS developers that theclang
andlibtool
tools for macOS support this. - We do NOT recommend using the Apple-provided sources for some libraries (such as Heimdal) as they have various customisations that may negatively impact how Moonshot works, and because Apple categorically WILL NOT support any of their own source sets (we've tried through a Platinum support path and had the support ticket closed and refunded).
If you DO try using Apple's OpenSource sources and find that things build and function fine, please let us know by commenting on this document (with instructions that we can update this document with). These instructions should generally be backward-compatible.
3.1.1. Gettext
3.1.2. PCRE
PCRE is required during the build of some later dependencies. Libffi is one of these.
3.1.3. Libffi
Libffi is a dependency of the Glib library that in turn is used by the Moonshot library for some Dbus functionality
3.1.4. OpenSSL
3.1.5. Heimdal
Heimdal requires OpenSSL. Once OpenSSL has built successfully, build Heimdal.
We can safely use an old version (7.3.0) since runtime GSS libraries are taken from the system installation, and newer versions seem to generate invalid moonshot binaries.
3.1.6. LibConfuse
3.1.7. LibEvent
Libevent requires OpenSSL. Once OpenSSL has built successfully, build Libevent.
3.1.8. Dbus
Dbus is used by the macOS client to communicate with the Moonshot mechanism.
3.1.9. Glib
Glib is required by the Moonshot library. Lenda draconiana mac os.
3.1.10. Jansson
Jansson is used by the Moonshot libraries.
3.1.11. libxml2
libxml2 is used to parse assertions
Moonshot: Commando Mac Os Update
The Moonshot source code is all stored in a GIT repository at https://github.com/janetuk.
5.1. Libradsec
Libradsec is used by the Moonshot libraries.
5.2. The Moonshot UI
The Moonshot UI contains two components, libmoonshot, which is the interface between the Moonshot mechanism and the Identity Selector, and the Identity Selector itself. Libmoonshot and the Identity Selector can be built together:
Clone the Moonshot UI project:
Apple Developer Team ID support
Optionally, if you have multiple Apple Developer ID certificates for different teams installed, use the optional
--with-apple-developer-id=DeveloperTeamID
parameter to specify the ID that is shown in brackets in the certificates. The build currently does not support Mac Developer certificates.To disable Apple Developer Team ID checks and signing, specify
--with-apple-developer-id=no
Build Libmoonshot:
Pay attention to the output the
sudo make install
command provides and double-check that the library exists in/usr/local/moonshot/lib
.Build the Identity Selector:
- The Moonshot app will be in the
ui/macos-ui/build/Release
directory. You can then copy it from there to the/Applications
folder.
Identity Selector app signing
Currently the Identity Selector is not signed. This is to avoid limitations with macOS sandboxing. However, once we enable signing for the Identity Selector, you should see follow these additional steps:
Pay attention to the output the
make app-bundle
command provides. You should see something similar to this to show that the build has copied the entitlements and has signed the application:If Xcode did not sign the code and you did not disable Apple Developer ID checks and signing in Step 2, sign it manually:
If you disabled Apple Developer ID checks in Step 2, skip this step. Otherwise verify the signing with the following command; you should have lines like these:
5.3. The Moonshot mechanism
Configure script parameters
There are several parameters in the command above that rely on locations noted down previously:
COMPILE_ET
contains the full path to the compile_et
binary that will be in your Heimdal build tree. You noted this down in the last step of Section 3.1.5.
You should now have a mech_eap.so
file in /usr/local/moonshot/lib/gss
.
To test this build of Moonshot, you will need to make some privileged changes to the system you built this on:
In
/etc
, create agss
directory:Copy the
mech
file from the Moonshotmech_eap
build directory to/etc/gss
- As the privileged user, edit the
/etc/gss/mech
file:- Change the
mech_eap.so
entry on each line to the full path of the library, e.g./usr/local/moonshot/lib/gss/mech_eap.so
- Save the file.
- Change the
Copy the Identity Selector app (Moonshot.app) you built in Step 2 of Section 5.2 above into the /Applications folder.
- Run the Identity Selector app from the Launch Pad, then add a new Moonshot identity to the app.
Run an SSH command to a Moonshot-enabled system that the credentials you added in the previous step will be valid for:
Jisc Assent
If you have an identity provider on the Jisc Assent network, you can use
ssh -Kv moonshot@test-sp.infr.assent.ti.ja.net
to test whether your macOS Moonshot mechanism worked successfully.You should be prompted for an identity the first time you do this, and then successfully connect to the service. You should see several lines like this in the output:
Jisc Assent
On the Jisc Assent Test SSH Service, the final output for success will be this:
To distribute this binary set, you will need to trim down the binaries you have built to include only the dynamic libraries and only bare essentials needed to run the mechanism:
3.1.11. libxml2
libxml2 is used to parse assertions
Moonshot: Commando Mac Os Update
The Moonshot source code is all stored in a GIT repository at https://github.com/janetuk.
5.1. Libradsec
Libradsec is used by the Moonshot libraries.
5.2. The Moonshot UI
The Moonshot UI contains two components, libmoonshot, which is the interface between the Moonshot mechanism and the Identity Selector, and the Identity Selector itself. Libmoonshot and the Identity Selector can be built together:
Clone the Moonshot UI project:
Apple Developer Team ID support
Optionally, if you have multiple Apple Developer ID certificates for different teams installed, use the optional
--with-apple-developer-id=DeveloperTeamID
parameter to specify the ID that is shown in brackets in the certificates. The build currently does not support Mac Developer certificates.To disable Apple Developer Team ID checks and signing, specify
--with-apple-developer-id=no
Build Libmoonshot:
Pay attention to the output the
sudo make install
command provides and double-check that the library exists in/usr/local/moonshot/lib
.Build the Identity Selector:
- The Moonshot app will be in the
ui/macos-ui/build/Release
directory. You can then copy it from there to the/Applications
folder.
Identity Selector app signing
Currently the Identity Selector is not signed. This is to avoid limitations with macOS sandboxing. However, once we enable signing for the Identity Selector, you should see follow these additional steps:
Pay attention to the output the
make app-bundle
command provides. You should see something similar to this to show that the build has copied the entitlements and has signed the application:If Xcode did not sign the code and you did not disable Apple Developer ID checks and signing in Step 2, sign it manually:
If you disabled Apple Developer ID checks in Step 2, skip this step. Otherwise verify the signing with the following command; you should have lines like these:
5.3. The Moonshot mechanism
Configure script parameters
There are several parameters in the command above that rely on locations noted down previously:
COMPILE_ET
contains the full path to the compile_et
binary that will be in your Heimdal build tree. You noted this down in the last step of Section 3.1.5.
You should now have a mech_eap.so
file in /usr/local/moonshot/lib/gss
.
To test this build of Moonshot, you will need to make some privileged changes to the system you built this on:
In
/etc
, create agss
directory:Copy the
mech
file from the Moonshotmech_eap
build directory to/etc/gss
- As the privileged user, edit the
/etc/gss/mech
file:- Change the
mech_eap.so
entry on each line to the full path of the library, e.g./usr/local/moonshot/lib/gss/mech_eap.so
- Save the file.
- Change the
Copy the Identity Selector app (Moonshot.app) you built in Step 2 of Section 5.2 above into the /Applications folder.
- Run the Identity Selector app from the Launch Pad, then add a new Moonshot identity to the app.
Run an SSH command to a Moonshot-enabled system that the credentials you added in the previous step will be valid for:
Jisc Assent
If you have an identity provider on the Jisc Assent network, you can use
ssh -Kv moonshot@test-sp.infr.assent.ti.ja.net
to test whether your macOS Moonshot mechanism worked successfully.You should be prompted for an identity the first time you do this, and then successfully connect to the service. You should see several lines like this in the output:
Jisc Assent
On the Jisc Assent Test SSH Service, the final output for success will be this:
To distribute this binary set, you will need to trim down the binaries you have built to include only the dynamic libraries and only bare essentials needed to run the mechanism:
7.1. Automatic build
The macos-ui
directory in the moonshot-ui/
tree has a Makefile that will automatically run all the build steps in Section 7.2.
- Change to the
macos-ui
directory, runmake installer
. - The final result should be a signed (if you chose to use Apple Developer ID support)
Moonshot.dmg
file in themacos-ui
directory.
7.2. Manual build
7.2.1. Create the distribution archive for the mechanism
Make a tarball with the required libraries and binaries from the
/usr/local/moonshot
directory into the Installer directory as the privileged user. Thefilemanifest.txt
file contains the full list of required files.
7.2.2. The Moonshot Uninstaller utility
The Uninstaller utility is an Xcode project.
Build the Uninstaller utility:
Pay attention to the output the
make uninstaller-bundle
command provides. You should see something similar to this to show that the build has copied the entitlements and has signed the application:If Xcode did not sign the code and you did not disable Apple Developer ID checks in Section 5.2, Step 2, sign it manually:
Verify the signing with the following command; you should have lines like these:
The
Uninstall Moonshot
app will be in theui/macos-ui/Uninstaller/build/Release
directory. You can then copy it from there to the/Applications
folder.
7.2.3. The Moonshot Installer
The Moonshot installer contains the distribution archive, the uninstaller utility, and the Moonshot identity selector.
Change to the Installer folder:
- Copy the Moonshot identity selector app from the Applications folder to the
LatestBuild
directory - Copy the Uninstall Moonshot app from the
ui/macos-ui/Uninstaller/build/Release
directory to theLatestBuild
directory - Copy the distribution archive you created in Section 8.1 to this directory, replacing the existing
local.tar.gz
file. Build the installer:
Create the Moonshot distribution disk image:
- Copy the resulting
Moonshot.dmg
to your distribution point. Generate a checksum for
Moonshot.dmg
with the following command:
Current issues with this build include that the macOS SSH client abandons any gssapi-with-mic
conversations if the first mechanism it chooses, fails.
In a domain environment, this usually involves a Kerberos interaction, i.e. where you have received a Kerberos ticket before by logging in or by running kinit
. Other ssh clients (or a custom build of the ssh client) may not exhibit this behaviour.
On macOS Sierra and later, the native SSH client is sandboxed when run from its default location in /usr/bin
. Making a copy of the binary in /usr/local/bin
enables it to authenticate with Moonshot. Adjust /etc/paths
to load binaries in /usr/local/bin
first, then restart your sessions.
Currently the Moonshot Identity Manager (Moonshot.app) is not signed during the automatic build. This is due to Apple sandboxing the app when it is signed, making it impossible for it to communicate with Dbus (and by extension, the Moonshot mechanism). Not signing the app allows Moonshot authentication to proceed.
If you've been using a Mac for any length of time, you know that it's more than just a pretty point-and-click, window-and-icon interface. Beneath the surface of the operating system is an entire world that you can access only from the command line. Terminal (in your /Applications/Utilities folder) is the default gateway to that command line on a Mac. With it, instead of pointing and clicking, you type your commands and your Mac does your bidding.
Moonshot: Commando Mac Os Download
Why would you want to do that? For almost all of your computing needs, the regular graphical user interface is enough. But the command line can be handy when it comes to troubleshooting your Mac, to turn on 'hidden' settings, and other advanced chores. It's a good idea for anyone who isn't an utter beginner to be familiar with it.
Moonshot: Commando Mac Os X
If you aren't already familiar with your Mac's command-line interface. First up: How to navigate the file system from the command-line prompt.
The prompt
Moonshot: Commando Mac Os Catalina
By default, when you open Terminal, the first thing you'll see is something like this:
The first line shows the last time you logged into your Mac via the command line; that's the current time, when you're using Terminal. The second line is the prompt, and while it can change from system to system depending on configuration, by default it contains several bits of information.
In my prompt, walden is the name of my Mac (same as the name in the Sharing pane of System Preferences), and kirk is my user name. The ~ shows where I am in the file system of my Mac; ~ is a shortcut that means the current user's home folder. (In the Finder, that's the folder with your user name and the house icon.) Finally, the $ is a character that the bash shell (the default interface that Terminal uses) displays to indicate that it's ready to accept a command.
What's in a folder
When you first get to the command line, you're in your home folder. While you're there—or when you're in any folder (directory in Unix-speak)—you might want to know what's in it. To do that you use the ls
(or list) command. Type ls
and press the Return key, and you'll see the folders (and/or files) in the current directory.
The output of the plain ls
command is pretty sparse; it shows you the names of files and folders contained in the current directory (including some familiar ones such as Movies, Music, Pictures, and so on). Fortunately, you can add a number of optional switches to the ls
command that allow you to see more information. So, for example, try typing ls -l
(that's a lower-case L), then pressing Return. You'll see something like this:
Don't worry too much about what all that means right now; we're just getting our feet wet. The point is that ls
can provide additional information about files and folders, depending on the options you specify. In this case, that additional information includes the name of the user who owns each item in the directory. (That ownership is part of the Unix system's file-permissions regime.) The kirk kirk
next to most of those items above means that each one is owned by the user kirk, who is in the group kirk. The other understandable bit of information next to each file and folder is the date and time each one was last modified.
One other handy option: You can view invisible files—ones that the Finder doesn't normally show you—by typing ls -a
. (These hidden files all have dots (.) in front of their names.)
Moving around
When you're in the Finder and you want to move to another folder, you find that folder and double-click it. From the command line, you use the cd
(or change directory) command instead. So let's say you're in your Home folder and want to peek inside the Downloads folder. To do that, you'd type cd Downloads
. (Remember to always type a space after any command that has an additional argument, such as the name of a directory in the previous example.) Once you've done that, ls
will show you the contents of your Downloads folder.
Here are a couple of quick tricks for moving around in your Mac's file system.
- If you type
cd
and press the Return key—with no directory specified—you'll go back to your Home folder. (You can also typecd ~
to go there.) - If you type
cd /
, you'll go to the root level of your startup disk. - If you type
cd .
(that's two periods), you'll go to the directory above the one you're currently in. So if you're in your home folder, and typecd .
, you'll go to your Mac's /Users folder. - And if you type
cd -
(hyphen) you'll go back to the directory you were in before the last time you issued thecd
command.
To learn more Terminal commands, see our articles on how to copy and move folders as well as delete files and folders using the command line and get help when you need it from man pages.