Hi Björn,
Apologies for the late reply! That is odd.
Do you get a similar message if you use the classic gss-server and gss-client exchange (i.e. using gss-client on the client machine, whilst running gss-server on the server)?
Also, which OS is this? CentOS?
With Regards
Stefan Paetow
Consultant, Trust and Identity
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: [log in to unmask]
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
From: GOV-UK-REQUESTS <[log in to unmask]> on behalf of Abt Björn <[log in to unmask]>
Reply-To: Abt Björn <[log in to unmask]>
Date: Wednesday, 20 June 2018 at 14:40
To: <[log in to unmask]>
Subject: A token had an invalid Message Integrity Check (MIC)
Dear Moonshot-List,
I’m trying to setup a moonshot infrastructure and am failing with an openssh login.
The setup uses an rp-proxy to connect directly to an idp without a trust router:
openssh-client → openssh-server → rp proxy → idp
When connecting via ssh the moonshot-ui pops up and allows the selection of an identity to be sent.
The radsec communication and the authentication on the idp look fine AFAIK:
Access-Accept from idp:
(263) Sent Access-Accept Id 98 from 0.0.0.0:2083 to 129.129.230.131:59006 length 1262
(263) MS-MPPE-Recv-Key = 0x1c1acc12b842cc3eb6acb36bfac13eab194ea8278997e73017ea412287445f84
(263) MS-MPPE-Send-Key = 0xee3f19523b5051975cb5b429d71b30e807dd2596b7de789e333b781ef316284b
(263) EAP-Message = 0x03070004
(263) Message-Authenticator = 0x00000000000000000000000000000000
(263) Proxy-State = 0x30
(263) EAP-Channel-Binding-Message += 0x02001901a406686f7374a5136d6f6f6e73686f7430312e7073692e6368
(263) SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2018-06-20T13:53:39" ID="7824c02a-6d7d-42e4-9d97-db85db5eaa35" Version="2.0">'
(263) SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:umbrellaid.org</saml:Issuer><saml:AttributeStatement>'
(263) SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.1" FriendlyName="uid">'
(263) SAML-AAA-Assertion += '<saml:AttributeValue>flowback</saml:AttributeValue>'
(263) SAML-AAA-Assertion += '</saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.42750.1.1.1" FriendlyName="EAAHash">'
(263) SAML-AAA-Assertion += '<saml:AttributeValue>XXXXXXXX-XXXX-XXXXX-XXXX-XXXXXXXXXXXX</saml:AttributeValue>'
(263) SAML-AAA-Assertion += '</saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.42750.1.1.3" FriendlyName="EAAKey">'
(263) SAML-AAA-Assertion += '<saml:AttributeValue> XXXXXXXX-XXXX-XXXXX-XXXX-XXXXXXXXXXXX </saml:AttributeValue>'
(263) SAML-AAA-Assertion += '</saml:Attribute></saml:AttributeStatement></saml:Assertion>'
(263) Moonshot-Host-TargetedId = [log in to unmask]
(263) Finished request
And also the rp proxy returns an Access-Accept after a user mapping via a database:
(79) Sent Access-Accept Id 0 from 0.0.0.0:2083 to 129.129.230.132:40376 length 0
(79) MS-MPPE-Recv-Key = 0x1c1acc12b842cc3eb6acb36bfac13eab194ea8278997e73017ea412287445f84
(79) MS-MPPE-Send-Key = 0xee3f19523b5051975cb5b429d71b30e807dd2596b7de789e333b781ef316284b
(79) EAP-Message = 0x03070004
(79) Message-Authenticator = 0x16dc64fef42441fe37d0150c9053bb7f
(79) EAP-Channel-Binding-Message = 0x02001901a406686f7374a5136d6f6f6e73686f7430312e7073692e6368
(79) Moonshot-Host-TargetedId = "[log in to unmask]"
(79) SAML-AAA-Assertion = "<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" IssueInstant=\"2018-06-20T13:53:39\" ID=\"76ca4f39-da9c-4b1d-bb2f-553a48537184\" Version=\"2.0\">"
(79) SAML-AAA-Assertion += "<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>"
(79) SAML-AAA-Assertion += "<saml:AttributeStatement>"
(79) SAML-AAA-Assertion += "<saml:Attribute NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\">"
(79) SAML-AAA-Assertion += "<saml:AttributeValue>bjoern</saml:AttributeValue>"
(79) SAML-AAA-Assertion += "</saml:Attribute></saml:AttributeStatement>"
(79) SAML-AAA-Assertion += "</saml:Assertion>"
(79) User-Name = "bjoern"
(79) Finished request
But on the openssh-server I get:
debug1: A token had an invalid Message Integrity Check (MIC)
Decrypt integrity check failed
While on the openssh-client I get:
debug1: Received GSSAPI_CONTINUE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug3: send packet: type 31
ssh_packet_read: Connection closed
Attached you will find the output from an “ltrace -C -l '*mech_eap*' -f /usr/sbin/sshd -ddd -p 6969” command.
Does anyone have a clue what I’m doing wrong?
Best regards
Björn
__________________________________________
Paul Scherrer Institut
Björn Erik Abt
IT Security Officer
WHGA/U136
CH-5232 Villigen PSI
Telefon: +41 56 310 40 17
E-Mail: [log in to unmask]
To unsubscribe from the MOONSHOT-COMMUNITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT-COMMUNITY&A=1
########################################################################
To unsubscribe from the MOONSHOT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT&A=1
########################################################################
To unsubscribe from the MOONSHOT-COMMUNITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT-COMMUNITY&A=1
