> Ok, just wasn't sure I saw the OID as being offered. MIC error could also be a result of my untested patch, can you step through code and see where it's failing?
The server side shows this:
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 740
debug2: parse_server_config: config /etc/ssh/sshd_config len 740
debug3: /etc/ssh/sshd_config:21 setting Protocol 2
debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV
debug3: /etc/ssh/sshd_config:66 setting PasswordAuthentication yes
debug3: /etc/ssh/sshd_config:70 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:81 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:83 setting GSSAPICleanupCredentials yes
debug3: /etc/ssh/sshd_config:85 setting GSSAPIKeyExchange yes
debug3: /etc/ssh/sshd_config:100 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:102 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
debug3: /etc/ssh/sshd_config:103 setting AcceptEnv XMODIFIERS
debug3: /etc/ssh/sshd_config:109 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:116 setting UsePrivilegeSeparation no
debug3: /etc/ssh/sshd_config:132 setting Subsystem sftp /usr/libexec/openssh/sftp-server
debug3: /etc/ssh/sshd_config:139 setting KerberosAuthentication no
debug3: /etc/ssh/sshd_config:140 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:141 setting UsePAM yes
debug3: /etc/ssh/sshd_config:142 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:143 setting AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
debug1: sshd version OpenSSH_5.3p1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-f'
debug1: rexec_argv[2]='/etc/ssh/sshd_config'
debug1: rexec_argv[3]='-d'
debug1: rexec_argv[4]='-d'
debug1: rexec_argv[5]='-d'
debug1: rexec_argv[6]='-d'
debug3: oom_adjust_setup
Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 740
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 193.63.63.5 port 60428
debug1: Client protocol version 2.0; client software version OpenSSH_6.9
debug1: match: OpenSSH_6.9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 1320 bytes for a total of 1341
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-JHo1wNMhky/7DkDu4d6xCA==,gss-group14-sha1-JHo1wNMhky/7DkDu4d6xCA==,gss-gex-sha1-JHo1wNMhky/7DkDu4d6xCA==,gss-group1-sha1-dEYdZI86nhHqawDlBMslQw==,gss-group14-sha1-dEYdZI86nhHqawDlBMslQw==,gss-gex-sha1-dEYdZI86nhHqawDlBMslQw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[log in to unmask]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[log in to unmask]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[log in to unmask],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[log in to unmask],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[log in to unmask],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[log in to unmask],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[log in to unmask]
debug2: kex_parse_kexinit: none,[log in to unmask]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [log in to unmask],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [log in to unmask],[log in to unmask],ssh-rsa,[log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit: [log in to unmask],aes128-ctr,aes192-ctr,aes256-ctr,[log in to unmask],[log in to unmask],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[log in to unmask]
debug2: kex_parse_kexinit: [log in to unmask],aes128-ctr,aes192-ctr,aes256-ctr,[log in to unmask],[log in to unmask],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[log in to unmask]
debug2: kex_parse_kexinit: [log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],hmac-md5,hmac-ripemd160,[log in to unmask],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[log in to unmask],[log in to unmask],[log in to unmask],[log in to unmask],hmac-md5,hmac-ripemd160,[log in to unmask],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[log in to unmask],zlib
debug2: kex_parse_kexinit: none,[log in to unmask],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found [log in to unmask]
debug1: kex: client->server aes128-ctr [log in to unmask] none
debug2: mac_setup: found [log in to unmask]
debug1: kex: server->client aes128-ctr [log in to unmask] none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug3: Wrote 408 bytes for a total of 1749
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 1578/3072
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 1514/3072
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 976 bytes for a total of 2725
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Wrote 40 bytes for a total of 2765
debug1: userauth-request for user moonshot service ssh-connection method none
debug1: attempt 0 failures 0
debug3: Trying to reverse map address 193.63.63.5.
debug2: parse_server_config: config reprocess config len 740
debug2: input_userauth_request: setting up authctxt for moonshot
debug1: PAM: initializing for "moonshot"
debug1: PAM: setting PAM_RHOST to "jntlt005260.dev.ja.net"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: input_userauth_request: try method none
Failed none for moonshot from 193.63.63.5 port 60428 ssh2
debug3: Wrote 72 bytes for a total of 2837
debug1: userauth-request for user moonshot service ssh-connection method gssapi-with-mic
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
Postponed gssapi-with-mic for moonshot from 193.63.63.5 port 60428 ssh2
debug3: Wrote 40 bytes for a total of 2877
debug1: Got no client credentials
debug3: Wrote 88 bytes for a total of 2965
debug1: Got no client credentials
debug3: Wrote 56 bytes for a total of 3021
debug1: Got no client credentials
debug3: Wrote 1064 bytes for a total of 4085
debug1: Got no client credentials
debug3: Wrote 1064 bytes for a total of 5149
debug1: Got no client credentials
debug3: Wrote 792 bytes for a total of 5941
debug1: Got no client credentials
debug3: Wrote 120 bytes for a total of 6061
debug1: Got no client credentials
debug3: Wrote 104 bytes for a total of 6165
debug1: Got no client credentials
debug3: Wrote 168 bytes for a total of 6333
debug1: Got no client credentials
debug3: Wrote 56 bytes for a total of 6389
debug1: A token had an invalid Message Integrity Check (MIC)
Decrypt integrity check failed
debug1: Got no client credentials
debug3: Wrote 120 bytes for a total of 6509
Failed gssapi-with-mic for moonshot from 193.63.63.5 port 60428 ssh2
debug3: Wrote 128 bytes for a total of 6637
debug1: userauth-request for user moonshot service ssh-connection method gssapi-with-mic
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
Postponed gssapi-with-mic for moonshot from 193.63.63.5 port 60428 ssh2
debug3: Wrote 40 bytes for a total of 6677
debug1: Got no client credentials
debug3: Wrote 88 bytes for a total of 6765
debug1: Got no client credentials
debug3: Wrote 56 bytes for a total of 6821
debug1: Got no client credentials
debug3: Wrote 1064 bytes for a total of 7885
debug1: Got no client credentials
debug3: Wrote 1064 bytes for a total of 8949
debug1: Got no client credentials
debug3: Wrote 792 bytes for a total of 9741
debug1: Got no client credentials
debug3: Wrote 120 bytes for a total of 9861
debug1: Got no client credentials
debug3: Wrote 104 bytes for a total of 9965
debug1: Got no client credentials
debug3: Wrote 168 bytes for a total of 10133
debug1: Got no client credentials
debug3: Wrote 56 bytes for a total of 10189
debug1: A token had an invalid Message Integrity Check (MIC)
Decrypt integrity check failed
debug1: Got no client credentials
debug3: Wrote 120 bytes for a total of 10309
Failed gssapi-with-mic for moonshot from 193.63.63.5 port 60428 ssh2
debug3: Wrote 128 bytes for a total of 10437
Connection closed by 193.63.63.5
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
-- end --
Probably not helpful at this stage. I'll try again on my test infrastructure to check whether I can make things work there. Then I need to look at stripping out the RADSEC and Shibboleth server-side stuff (with the --enable-acceptor=no thing).
With Regards
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: [log in to unmask]
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
|