More information that I'm not sure whether it is useful or not:
According to
https://kb.symas.com/knowledge-base/symas-openldap/2-4-44-2/man3-Library-Fu
nctions2-4-44-2/gssapi-Generic-Security-Service-Application-Program-Interfa
ce-library2-4-44-2/ there is a problem in older versions of Heimdal that
incorrectly implement DES3 MIC getting and verification. Could this have
something to do with this, although given that my Centos 6 VM has no
problem with the MIC, the build off that very same machine *does* have a
problem once it hits the public service I run.
Happy to slap more MIC verification bits into util_context.c to see what
checksum it uses (or whatever else you want to know).
:-/
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: [log in to unmask]
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. Jiscıs registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.
From: Moonshot Developers List <[log in to unmask]> on behalf of
Stefan Paetow <[log in to unmask]>
Date: Wednesday, 2 August 2017 at 16:32
To: <[log in to unmask]>
Subject: Re: Failing to build mech_eap on Mac.
>> I doubt itıs this, but I do keep an open mind. Some printfs() would be
>>a good start. :)
>
>How's this?
>
>[root@ssh ssh]# /usr/sbin/sshd -f /etc/ssh/sshd_config -d -d -d -d
>debug2: load_server_config: filename /etc/ssh/sshd_config
>debug2: load_server_config: done config len = 681
>debug2: parse_server_config: config /etc/ssh/sshd_config len 681
>debug3: /etc/ssh/sshd_config:21 setting Protocol 2
>debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV
>debug3: /etc/ssh/sshd_config:66 setting PasswordAuthentication yes
>debug3: /etc/ssh/sshd_config:70 setting ChallengeResponseAuthentication no
>debug3: /etc/ssh/sshd_config:81 setting GSSAPIAuthentication yes
>debug3: /etc/ssh/sshd_config:83 setting GSSAPICleanupCredentials yes
>debug3: /etc/ssh/sshd_config:84 setting GSSAPIStrictAcceptorCheck yes
>debug3: /etc/ssh/sshd_config:97 setting UsePAM yes
>debug3: /etc/ssh/sshd_config:100 setting AcceptEnv LANG LC_CTYPE
>LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
>debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LC_PAPER LC_NAME
>LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
>debug3: /etc/ssh/sshd_config:102 setting AcceptEnv LC_IDENTIFICATION
>LC_ALL LANGUAGE
>debug3: /etc/ssh/sshd_config:103 setting AcceptEnv XMODIFIERS
>debug3: /etc/ssh/sshd_config:109 setting X11Forwarding yes
>debug3: /etc/ssh/sshd_config:116 setting UsePrivilegeSeparation no
>debug3: /etc/ssh/sshd_config:132 setting Subsystem sftp
>/usr/libexec/openssh/sftp-server
>debug3: /etc/ssh/sshd_config:139 setting KerberosAuthentication no
>debug3: /etc/ssh/sshd_config:141 setting UsePAM yes
>debug3: /etc/ssh/sshd_config:142 setting GSSAPIAuthentication yes
>debug1: sshd version OpenSSH_5.3p1
>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
>debug1: read PEM private key done: type RSA
>debug1: private host key: #0 type 1 RSA
>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
>debug1: read PEM private key done: type DSA
>debug1: private host key: #1 type 2 DSA
>debug1: rexec_argv[0]='/usr/sbin/sshd'
>debug1: rexec_argv[1]='-f'
>debug1: rexec_argv[2]='/etc/ssh/sshd_config'
>debug1: rexec_argv[3]='-d'
>debug1: rexec_argv[4]='-d'
>debug1: rexec_argv[5]='-d'
>debug1: rexec_argv[6]='-d'
>debug3: oom_adjust_setup
>Set /proc/self/oom_score_adj from 0 to -1000
>debug2: fd 3 setting O_NONBLOCK
>debug1: Bind to port 22 on 0.0.0.0.
>Server listening on 0.0.0.0 port 22.
>debug2: fd 4 setting O_NONBLOCK
>debug1: Bind to port 22 on ::.
>Server listening on :: port 22.
>debug3: fd 5 is not O_NONBLOCK
>debug1: Server will not fork when running in debugging mode.
>debug3: send_rexec_state: entering fd = 8 config len 681
>debug3: ssh_msg_send: type 0
>debug3: send_rexec_state: done
>debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
>debug1: inetd sockets after dupping: 3, 3
>Connection from 212.219.210.246 port 63277
>debug1: Client protocol version 2.0; client software version OpenSSH_6.9
>debug1: match: OpenSSH_6.9 pat OpenSSH*
>debug1: Enabling compatibility mode for protocol 2.0
>debug1: Local version string SSH-2.0-OpenSSH_5.3
>debug2: fd 3 setting O_NONBLOCK
>debug1: list_hostkey_types: ssh-rsa,ssh-dss
>debug1: SSH2_MSG_KEXINIT sent
>debug3: Wrote 840 bytes for a total of 861
>debug1: SSH2_MSG_KEXINIT received
>debug2: kex_parse_kexinit:
>diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,di
>ffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>debug2: kex_parse_kexinit:
>aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
>,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysat
>or.liu.se
>debug2: kex_parse_kexinit:
>aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
>,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysat
>or.liu.se
>debug2: kex_parse_kexinit:
>hmac-md5,hmac-sha1,[log in to unmask],hmac-sha2-256,hmac-sha2-512,hmac-ri
>pemd160,[log in to unmask],hmac-sha1-96,hmac-md5-96
>debug2: kex_parse_kexinit:
>hmac-md5,hmac-sha1,[log in to unmask],hmac-sha2-256,hmac-sha2-512,hmac-ri
>pemd160,[log in to unmask],hmac-sha1-96,hmac-md5-96
>debug2: kex_parse_kexinit: none,[log in to unmask]
>debug2: kex_parse_kexinit: none,[log in to unmask]
>debug2: kex_parse_kexinit:
>debug2: kex_parse_kexinit:
>debug2: kex_parse_kexinit: first_kex_follows 0
>debug2: kex_parse_kexinit: reserved 0
>debug2: kex_parse_kexinit:
>[log in to unmask],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sh
>a2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exch
>ange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>debug2: kex_parse_kexinit:
>[log in to unmask],[log in to unmask],ssh-rsa,ecdsa-sh
>[log in to unmask],[log in to unmask],
>[log in to unmask],[log in to unmask],
>[log in to unmask],[log in to unmask],ecdsa-sha2-nistp
>256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
>debug2: kex_parse_kexinit:
>[log in to unmask],aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@
>openssh.com,[log in to unmask],arcfour256,arcfour128,aes128-cbc,3des-c
>bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lys
>ator.liu.se
>debug2: kex_parse_kexinit:
>[log in to unmask],aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@
>openssh.com,[log in to unmask],arcfour256,arcfour128,aes128-cbc,3des-c
>bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lys
>ator.liu.se
>debug2: kex_parse_kexinit:
>[log in to unmask],[log in to unmask],hmac-sha2-256-etm@openssh
>.com,[log in to unmask],[log in to unmask],umac-64@opens
>sh.com,[log in to unmask],hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5
>[log in to unmask],[log in to unmask],[log in to unmask]
>om,[log in to unmask],hmac-md5,hmac-ripemd160,hmac-ripemd160@open
>ssh.com,hmac-sha1-96,hmac-md5-96
>debug2: kex_parse_kexinit:
>[log in to unmask],[log in to unmask],hmac-sha2-256-etm@openssh
>.com,[log in to unmask],[log in to unmask],umac-64@opens
>sh.com,[log in to unmask],hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5
>[log in to unmask],[log in to unmask],[log in to unmask]
>om,[log in to unmask],hmac-md5,hmac-ripemd160,hmac-ripemd160@open
>ssh.com,hmac-sha1-96,hmac-md5-96
>debug2: kex_parse_kexinit: none,[log in to unmask],zlib
>debug2: kex_parse_kexinit: none,[log in to unmask],zlib
>debug2: kex_parse_kexinit:
>debug2: kex_parse_kexinit:
>debug2: kex_parse_kexinit: first_kex_follows 0
>debug2: kex_parse_kexinit: reserved 0
>debug2: mac_setup: found [log in to unmask]
>debug1: kex: client->server aes128-ctr [log in to unmask] none
>debug2: mac_setup: found [log in to unmask]
>debug1: kex: server->client aes128-ctr [log in to unmask] none
>debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
>debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
>debug3: Wrote 408 bytes for a total of 1269
>debug2: dh_gen_key: priv key bits set: 131/256
>debug2: bits set: 1524/3072
>debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
>debug2: bits set: 1558/3072
>debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
>debug2: kex_derive_keys
>debug2: set_newkeys: mode 1
>debug1: SSH2_MSG_NEWKEYS sent
>debug1: expecting SSH2_MSG_NEWKEYS
>debug3: Wrote 976 bytes for a total of 2245
>debug2: set_newkeys: mode 0
>debug1: SSH2_MSG_NEWKEYS received
>debug1: KEX done
>debug3: Wrote 40 bytes for a total of 2285
>debug1: userauth-request for user moonshot service ssh-connection method
>none
>debug1: attempt 0 failures 0
>debug3: Trying to reverse map address 212.219.210.246.
>debug2: parse_server_config: config reprocess config len 681
>debug2: input_userauth_request: setting up authctxt for moonshot
>debug1: PAM: initializing for "moonshot"
>debug1: PAM: setting PAM_RHOST to "oscar.dev.ja.net"
>debug1: PAM: setting PAM_TTY to "ssh"
>debug2: input_userauth_request: try method none
>Failed none for moonshot from 212.219.210.246 port 63277 ssh2
>debug3: Wrote 72 bytes for a total of 2357
>debug1: userauth-request for user moonshot service ssh-connection method
>gssapi-with-mic
>debug1: attempt 1 failures 0
>debug2: input_userauth_request: try method gssapi-with-mic
>Postponed gssapi-with-mic for moonshot from 212.219.210.246 port 63277
>ssh2
>debug3: Wrote 40 bytes for a total of 2397
>In eapGssSmAcceptAcceptorName()
>ctx->acceptorName != GSS_C_NO_NAME
>gssEapDisplayName(minor, ctx->acceptorName, outputToken, NULL)
>gssEapDisplayName() ok
>In eapGssSmAcceptIdentity()
>gssEapCredAvailable() ok
>inputToken != GSS_C_NO_BUFFER && inputToken->length != 0
>eap_msg_alloc(EAP_VENDOR_IETF,...) ok
>duplicateBuffer(minor, &pktBuffer, outputToken)
>wpabuf_free(reqdata)
>GSSEAP_SM_TRANSITION_NEXT(ctx)
>debug1: Got no client credentials
>debug3: Wrote 88 bytes for a total of 2485
>In eapGssSmAcceptAuthenticate()
>In createRadiusHandle()
>GSSEAP_ASSERT(actx->radContext, actx->radConn, cred !=
>GSS_C_NO_CREDENTIAL) all ok
>gssEapCreateRadiusContext() ok
>rs_conn_create() ok
>ctx->acceptorCtx.radContext is NULL, createRadiusHandle() ok
>isIdentityResponseP() is true
>In importInitiatorIdentity()
>wpabuf_set() ok
>eap_hdr_validate() ok
>gssEapReleaseName() ok
>Returning gssEapImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
>ctx->mechanismUsed, &ctx->initiatorName
>importInitiatorIdentity() ok
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 56 bytes for a total of 2541
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 1064 bytes for a total of 3605
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 1064 bytes for a total of 4669
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 792 bytes for a total of 5461
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 120 bytes for a total of 5581
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 104 bytes for a total of 5685
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 168 bytes for a total of 5853
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge false
>rs_packet_avps() ok
>In acceptReadyEap()
>gssEapOidToEnctype() ok
>gssEapRadiusGetRawAvp() ok
>gssEapImportName() ok
>gssEapRadiusGetRawAvp() ok
>gssEapDeriveRfc3961Key() ok
>rfc3961ChecksumTypeForKey() ok
>sequenceInit() ok
>gssEapCreateAttrContext() ok
>acceptReadyEap() ok
>GSSEAP_SM_TRANSITION_NEXT(ctx)
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 56 bytes for a total of 5909
>In eapGssSmAcceptGssFlags()
>GSSEAP_ASSERT(ctx->flags & CTX_FLAG_KRB_REAUTH) ok
>inputToken->length ok
>In eapGssSmAcceptInitiatorMIC()
>eapGssSmAcceptInitiatorMIC channel bindings ok!
>gssEapVerifyTokenMIC() returned 393216
>debug1: A token had an invalid Message Integrity Check (MIC)
>Decrypt integrity check failed
>
>debug1: Got no client credentials
>debug3: Wrote 120 bytes for a total of 6029
>Failed gssapi-with-mic for moonshot from 212.219.210.246 port 63277 ssh2
>debug3: Wrote 128 bytes for a total of 6157
>debug1: userauth-request for user moonshot service ssh-connection method
>gssapi-with-mic
>debug1: attempt 2 failures 1
>debug2: input_userauth_request: try method gssapi-with-mic
>Postponed gssapi-with-mic for moonshot from 212.219.210.246 port 63277
>ssh2
>debug3: Wrote 40 bytes for a total of 6197
>In eapGssSmAcceptAcceptorName()
>ctx->acceptorName != GSS_C_NO_NAME
>gssEapDisplayName(minor, ctx->acceptorName, outputToken, NULL)
>gssEapDisplayName() ok
>In eapGssSmAcceptIdentity()
>gssEapCredAvailable() ok
>inputToken != GSS_C_NO_BUFFER && inputToken->length != 0
>eap_msg_alloc(EAP_VENDOR_IETF,...) ok
>duplicateBuffer(minor, &pktBuffer, outputToken)
>wpabuf_free(reqdata)
>GSSEAP_SM_TRANSITION_NEXT(ctx)
>debug1: Got no client credentials
>debug3: Wrote 88 bytes for a total of 6285
>In eapGssSmAcceptAuthenticate()
>In createRadiusHandle()
>GSSEAP_ASSERT(actx->radContext, actx->radConn, cred !=
>GSS_C_NO_CREDENTIAL) all ok
>gssEapCreateRadiusContext() ok
>rs_conn_create() ok
>ctx->acceptorCtx.radContext is NULL, createRadiusHandle() ok
>isIdentityResponseP() is true
>In importInitiatorIdentity()
>wpabuf_set() ok
>eap_hdr_validate() ok
>gssEapReleaseName() ok
>Returning gssEapImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
>ctx->mechanismUsed, &ctx->initiatorName
>importInitiatorIdentity() ok
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 56 bytes for a total of 6341
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 1064 bytes for a total of 7405
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 1064 bytes for a total of 8469
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 792 bytes for a total of 9261
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 120 bytes for a total of 9381
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 104 bytes for a total of 9485
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge true, gssEapRadiusGetAvp() ok
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 168 bytes for a total of 9653
>In eapGssSmAcceptAuthenticate()
>rs_packet_create_authn_request() ok
>In setInitiatorIdentity()
>ctx->initiatorName != GSS_C_NO_NAME
>gssEapDisplayName() ok
>gssEapRadiusAddAvp() ok
>gss_release_buffer() ok
>setInitiatorIdentity() ok
>In setAcceptorIdentity()
>GSSEAP_ASSERT(rc != NULL) ok
>ctx->acceptorName != GSS_C_NO_NAME
>GSSEAP_KRB_INIT(&krbContext)
>GSSEAP_ASSERT(krbPrinc) ok
>GSSEAP_ASSERT(KRB_PRINC_LENGTH(krbPrinc)) ok
>krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf)
>gssEapRadiusAddAvp(minor, req, ..., SERVICE_NAME) ok
>KRB_PRINC_LENGTH(krbPrinc) >= 2
>krbPrincComponentToGssBuffer() ok
>gssEapRadiusAddAvp() ok
>krbPrincRealmToGssBuffer()
>setAcceptorIdentity() ok
>gssEapRadiusAddAvp() ok
>ctx->acceptorCtx.state.length != 0, gssEapRadiusAddAvp() ok
>rs_request_create() ok
>rs_request_add_reqpkt() ok
>rs_request_send() ok
>GSSEAP_ASSERT(resp != NULL) ok
>rs_packet_code() ok
>gssEapRadiusGetAvp() ok
>isAccessChallenge false
>rs_packet_avps() ok
>In acceptReadyEap()
>gssEapOidToEnctype() ok
>gssEapRadiusGetRawAvp() ok
>gssEapImportName() ok
>gssEapRadiusGetRawAvp() ok
>gssEapDeriveRfc3961Key() ok
>rfc3961ChecksumTypeForKey() ok
>sequenceInit() ok
>gssEapCreateAttrContext() ok
>acceptReadyEap() ok
>GSSEAP_SM_TRANSITION_NEXT(ctx)
>eapGssSmAcceptAuthenticate() cleanup, major = 1
>debug1: Got no client credentials
>debug3: Wrote 56 bytes for a total of 9709
>In eapGssSmAcceptGssFlags()
>GSSEAP_ASSERT(ctx->flags & CTX_FLAG_KRB_REAUTH) ok
>inputToken->length ok
>In eapGssSmAcceptInitiatorMIC()
>eapGssSmAcceptInitiatorMIC channel bindings ok!
>gssEapVerifyTokenMIC() returned 393216
>debug1: A token had an invalid Message Integrity Check (MIC)
>Decrypt integrity check failed
>
>debug1: Got no client credentials
>debug3: Wrote 120 bytes for a total of 9829
>Failed gssapi-with-mic for moonshot from 212.219.210.246 port 63277 ssh2
>debug3: Wrote 128 bytes for a total of 9957
>Connection closed by 212.219.210.246
>debug1: do_cleanup
>debug1: PAM: cleanup
>debug3: PAM: sshpam_thread_cleanup entering
>
>The 'tweaked' accept_sec_context.c (for these messages) is attached.
>
>:-)
>
>Stefan Paetow
>Moonshot Industry & Research Liaison Coordinator
>
>t: +44 (0)1235 822 125
>gpg: 0x3FCE5142
>xmpp: [log in to unmask]
>skype: stefan.paetow.janet
>
>jisc.ac.uk
>
>Jisc is a registered charity (number 1149740) and a company limited by
>guarantee which is registered in England under Company No. 5747339, VAT
>No. GB 197 0632 86. Jiscıs registered office is: One Castlepark, Tower
>Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
>
|