JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for MOONSHOT-COMMUNITY Archives


MOONSHOT-COMMUNITY Archives

MOONSHOT-COMMUNITY Archives


MOONSHOT-COMMUNITY@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

MOONSHOT-COMMUNITY Home

MOONSHOT-COMMUNITY Home

MOONSHOT-COMMUNITY  June 2018

MOONSHOT-COMMUNITY June 2018

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

FW: A token had an invalid Message Integrity Check (MIC)

From:

Stefan Paetow <[log in to unmask]>

Reply-To:

Stefan Paetow <[log in to unmask]>

Date:

Thu, 21 Jun 2018 13:40:20 +0000

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (1 lines)

    Hi Björn,  
     
    Apologies for the late reply! That is odd.  
     
    Do you get a similar message if you use the classic gss-server and gss-client exchange (i.e. using gss-client on the client machine, whilst running gss-server on the server)?  
     
    Also, which OS is this? CentOS? 
     
    With Regards 
     
    Stefan Paetow 
    Consultant, Trust and Identity 
     
    t: +44 (0)1235 822 125 
    gpg: 0x3FCE5142 
    xmpp: [log in to unmask] 
    skype: stefan.paetow.janet 
     
    jisc.ac.uk 
     
    Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. 
     
     
    From: GOV-UK-REQUESTS <[log in to unmask]> on behalf of Abt Björn <[log in to unmask]> 
    Reply-To: Abt Björn <[log in to unmask]> 
    Date: Wednesday, 20 June 2018 at 14:40 
    To: <[log in to unmask]> 
    Subject: A token had an invalid Message Integrity Check (MIC) 
     
    Dear Moonshot-List, 
      
    I’m trying to setup a moonshot infrastructure and am failing with an openssh login. 
      
    The setup uses an rp-proxy to connect directly to an idp without a trust router: 
      
    openssh-client → openssh-server → rp proxy → idp 
      
    When connecting via ssh the moonshot-ui pops up and allows the selection of an identity to be sent. 
      
    The radsec communication and the authentication on the idp look fine AFAIK: 
      
    Access-Accept from idp: 
      
    (263) Sent Access-Accept Id 98 from 0.0.0.0:2083 to 129.129.230.131:59006 length 1262 
    (263)   MS-MPPE-Recv-Key = 0x1c1acc12b842cc3eb6acb36bfac13eab194ea8278997e73017ea412287445f84 
    (263)   MS-MPPE-Send-Key = 0xee3f19523b5051975cb5b429d71b30e807dd2596b7de789e333b781ef316284b 
    (263)   EAP-Message = 0x03070004 
    (263)   Message-Authenticator = 0x00000000000000000000000000000000 
    (263)   Proxy-State = 0x30 
    (263)   EAP-Channel-Binding-Message += 0x02001901a406686f7374a5136d6f6f6e73686f7430312e7073692e6368 
    (263)   SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2018-06-20T13:53:39" ID="7824c02a-6d7d-42e4-9d97-db85db5eaa35" Version="2.0">' 
    (263)   SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:umbrellaid.org</saml:Issuer><saml:AttributeStatement>' 
    (263)   SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.1" FriendlyName="uid">' 
    (263)   SAML-AAA-Assertion += '<saml:AttributeValue>flowback</saml:AttributeValue>' 
    (263)   SAML-AAA-Assertion += '</saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.42750.1.1.1" FriendlyName="EAAHash">' 
    (263)   SAML-AAA-Assertion += '<saml:AttributeValue>XXXXXXXX-XXXX-XXXXX-XXXX-XXXXXXXXXXXX</saml:AttributeValue>' 
    (263)   SAML-AAA-Assertion += '</saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.42750.1.1.3" FriendlyName="EAAKey">' 
    (263)   SAML-AAA-Assertion += '<saml:AttributeValue> XXXXXXXX-XXXX-XXXXX-XXXX-XXXXXXXXXXXX </saml:AttributeValue>' 
    (263)   SAML-AAA-Assertion += '</saml:Attribute></saml:AttributeStatement></saml:Assertion>' 
    (263)   Moonshot-Host-TargetedId = [log in to unmask] 
    (263) Finished request 
      
    And also the rp proxy returns an Access-Accept after a user mapping via a database: 
      
    (79) Sent Access-Accept Id 0 from 0.0.0.0:2083 to 129.129.230.132:40376 length 0 
    (79)   MS-MPPE-Recv-Key = 0x1c1acc12b842cc3eb6acb36bfac13eab194ea8278997e73017ea412287445f84 
    (79)   MS-MPPE-Send-Key = 0xee3f19523b5051975cb5b429d71b30e807dd2596b7de789e333b781ef316284b 
    (79)   EAP-Message = 0x03070004 
    (79)   Message-Authenticator = 0x16dc64fef42441fe37d0150c9053bb7f 
    (79)   EAP-Channel-Binding-Message = 0x02001901a406686f7374a5136d6f6f6e73686f7430312e7073692e6368 
    (79)   Moonshot-Host-TargetedId = "[log in to unmask]" 
    (79)   SAML-AAA-Assertion = "<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" IssueInstant=\"2018-06-20T13:53:39\" ID=\"76ca4f39-da9c-4b1d-bb2f-553a48537184\" Version=\"2.0\">" 
    (79)   SAML-AAA-Assertion += "<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>" 
    (79)   SAML-AAA-Assertion += "<saml:AttributeStatement>" 
    (79)   SAML-AAA-Assertion += "<saml:Attribute NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\">" 
    (79)   SAML-AAA-Assertion += "<saml:AttributeValue>bjoern</saml:AttributeValue>" 
    (79)   SAML-AAA-Assertion += "</saml:Attribute></saml:AttributeStatement>" 
    (79)   SAML-AAA-Assertion += "</saml:Assertion>" 
    (79)   User-Name = "bjoern" 
    (79) Finished request 
      
    But on the openssh-server I get: 
      
    debug1: A token had an invalid Message Integrity Check (MIC) 
    Decrypt integrity check failed 
      
    While on the openssh-client I get: 
      
    debug1: Received GSSAPI_CONTINUE 
    debug1: Calling gss_init_sec_context 
    debug1: Delegating credentials 
    debug3: send packet: type 31 
    ssh_packet_read: Connection closed 
      
      
    Attached you will find the output from an “ltrace -C -l  '*mech_eap*' -f /usr/sbin/sshd -ddd -p 6969” command. 
      
    Does anyone have a clue what I’m doing wrong? 
      
    Best regards 
    Björn 
    __________________________________________ 
    Paul Scherrer Institut  
    Björn Erik Abt 
    IT Security Officer 
    WHGA/U136 
    CH-5232 Villigen PSI 
     
    Telefon: +41 56 310 40 17 
    E-Mail: [log in to unmask]  
      
     
     
    To unsubscribe from the MOONSHOT-COMMUNITY list, click the following link: 
    https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT-COMMUNITY&A=1  
     
     
    ######################################################################## 
     
    To unsubscribe from the MOONSHOT list, click the following link: 
    https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT&A=1 
     
 
 
######################################################################## 
 
To unsubscribe from the MOONSHOT-COMMUNITY list, click the following link: 
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT-COMMUNITY&A=1 

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

June 2018
April 2018
November 2017
October 2017
September 2017
August 2017
July 2017
May 2017
April 2017
March 2017
February 2017
November 2016
October 2016
August 2016
July 2016
June 2016
May 2016
March 2016
February 2016
January 2016
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager