Hi Björn, Apologies for the late reply! That is odd. Do you get a similar message if you use the classic gss-server and gss-client exchange (i.e. using gss-client on the client machine, whilst running gss-server on the server)? Also, which OS is this? CentOS? With Regards Stefan Paetow Consultant, Trust and Identity t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: [log in to unmask] skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. From: GOV-UK-REQUESTS <[log in to unmask]> on behalf of Abt Björn <[log in to unmask]> Reply-To: Abt Björn <[log in to unmask]> Date: Wednesday, 20 June 2018 at 14:40 To: <[log in to unmask]> Subject: A token had an invalid Message Integrity Check (MIC) Dear Moonshot-List, I’m trying to setup a moonshot infrastructure and am failing with an openssh login. The setup uses an rp-proxy to connect directly to an idp without a trust router: openssh-client → openssh-server → rp proxy → idp When connecting via ssh the moonshot-ui pops up and allows the selection of an identity to be sent. The radsec communication and the authentication on the idp look fine AFAIK: Access-Accept from idp: (263) Sent Access-Accept Id 98 from 0.0.0.0:2083 to 129.129.230.131:59006 length 1262 (263) MS-MPPE-Recv-Key = 0x1c1acc12b842cc3eb6acb36bfac13eab194ea8278997e73017ea412287445f84 (263) MS-MPPE-Send-Key = 0xee3f19523b5051975cb5b429d71b30e807dd2596b7de789e333b781ef316284b (263) EAP-Message = 0x03070004 (263) Message-Authenticator = 0x00000000000000000000000000000000 (263) Proxy-State = 0x30 (263) EAP-Channel-Binding-Message += 0x02001901a406686f7374a5136d6f6f6e73686f7430312e7073692e6368 (263) SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2018-06-20T13:53:39" ID="7824c02a-6d7d-42e4-9d97-db85db5eaa35" Version="2.0">' (263) SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:umbrellaid.org</saml:Issuer><saml:AttributeStatement>' (263) SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.1" FriendlyName="uid">' (263) SAML-AAA-Assertion += '<saml:AttributeValue>flowback</saml:AttributeValue>' (263) SAML-AAA-Assertion += '</saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.42750.1.1.1" FriendlyName="EAAHash">' (263) SAML-AAA-Assertion += '<saml:AttributeValue>XXXXXXXX-XXXX-XXXXX-XXXX-XXXXXXXXXXXX</saml:AttributeValue>' (263) SAML-AAA-Assertion += '</saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.42750.1.1.3" FriendlyName="EAAKey">' (263) SAML-AAA-Assertion += '<saml:AttributeValue> XXXXXXXX-XXXX-XXXXX-XXXX-XXXXXXXXXXXX </saml:AttributeValue>' (263) SAML-AAA-Assertion += '</saml:Attribute></saml:AttributeStatement></saml:Assertion>' (263) Moonshot-Host-TargetedId = [log in to unmask] (263) Finished request And also the rp proxy returns an Access-Accept after a user mapping via a database: (79) Sent Access-Accept Id 0 from 0.0.0.0:2083 to 129.129.230.132:40376 length 0 (79) MS-MPPE-Recv-Key = 0x1c1acc12b842cc3eb6acb36bfac13eab194ea8278997e73017ea412287445f84 (79) MS-MPPE-Send-Key = 0xee3f19523b5051975cb5b429d71b30e807dd2596b7de789e333b781ef316284b (79) EAP-Message = 0x03070004 (79) Message-Authenticator = 0x16dc64fef42441fe37d0150c9053bb7f (79) EAP-Channel-Binding-Message = 0x02001901a406686f7374a5136d6f6f6e73686f7430312e7073692e6368 (79) Moonshot-Host-TargetedId = "[log in to unmask]" (79) SAML-AAA-Assertion = "<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" IssueInstant=\"2018-06-20T13:53:39\" ID=\"76ca4f39-da9c-4b1d-bb2f-553a48537184\" Version=\"2.0\">" (79) SAML-AAA-Assertion += "<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>" (79) SAML-AAA-Assertion += "<saml:AttributeStatement>" (79) SAML-AAA-Assertion += "<saml:Attribute NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\">" (79) SAML-AAA-Assertion += "<saml:AttributeValue>bjoern</saml:AttributeValue>" (79) SAML-AAA-Assertion += "</saml:Attribute></saml:AttributeStatement>" (79) SAML-AAA-Assertion += "</saml:Assertion>" (79) User-Name = "bjoern" (79) Finished request But on the openssh-server I get: debug1: A token had an invalid Message Integrity Check (MIC) Decrypt integrity check failed While on the openssh-client I get: debug1: Received GSSAPI_CONTINUE debug1: Calling gss_init_sec_context debug1: Delegating credentials debug3: send packet: type 31 ssh_packet_read: Connection closed Attached you will find the output from an “ltrace -C -l '*mech_eap*' -f /usr/sbin/sshd -ddd -p 6969” command. Does anyone have a clue what I’m doing wrong? Best regards Björn __________________________________________ Paul Scherrer Institut Björn Erik Abt IT Security Officer WHGA/U136 CH-5232 Villigen PSI Telefon: +41 56 310 40 17 E-Mail: [log in to unmask] To unsubscribe from the MOONSHOT-COMMUNITY list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT-COMMUNITY&A=1 ######################################################################## To unsubscribe from the MOONSHOT list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT&A=1 ######################################################################## To unsubscribe from the MOONSHOT-COMMUNITY list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT-COMMUNITY&A=1