Comment 7 for bug 1709337

Yes.

*Everything* is the latest, including the latest MS package for OpenSSH (other than the GSS-EAP and MS-UI packages - for obvious reasons). The bash history in the 'sysuser' user has everything you need... The command is ssh -Kv <email address hidden> (the local machine name).

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: <email address hidden>
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

From: <<email address hidden><mailto:<email address hidden>>> on behalf of Dan Breslau <<email address hidden><mailto:<email address hidden>>>
Reply-To: Bug 1709337 <<email address hidden><mailto:<email address hidden>>>
Date: Tuesday, 8 August 2017 at 23:17
To: Stefan Paetow <<email address hidden><mailto:<email address hidden>>>
Subject: [Bug 1709337] Re: moonshot-gss-eap-1.0.1-1.el6 causes RADIUS TLS error and SSH segv

Is this the same image that you just emailed me a link to on another
thread?

It would also be very helpful if you could include details about the
command[s] you're running when you see this problem. I gather that ssh
is one of those commands. I'm guessing that that's a moonshot-enabled
ssh; and if so, what version?

--
You received this bug notification because you are a member of Moonshot
Drivers, which is subscribed to Project Moonshot.
Matching subscriptions: Moonshot Drivers
https://bugs.launchpad.net/bugs/1709337

Title:
  moonshot-gss-eap-1.0.1-1.el6 causes RADIUS TLS error and SSH segv

Status in Project Moonshot:
  New

Bug description:
  When using moonshot-gss-eap-1.0.1-1.el6 on a new CentOS 6 box, I see
  the following issue:

  When used with the newest moonshot-ui package (see Bug 1709316) in a
  mode that uses .gss_eap_id, RADIUS reports a TLS failure:

  eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
  eap_ttls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
  eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read)
  eap_ttls: ERROR: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
  eap_ttls: ERROR: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
  eap_ttls: ERROR: System call (I/O) error (-1)
  eap_ttls: ERROR: TLS receive handshake failed during operation
  eap_ttls: ERROR: [eaptls process] = fail
  eap: ERROR Failed continuing EAP TTLS (21) session. EAP sub-module failed

  When I downgrade to 0.9.5-1, the problem goes away. If there is TLS
  functionality that attempts to get trust anchors (and fails), perhaps
  we should update the .gss_eap_id functionality to add a third line
  that allows a trust anchor?

  Additionally, when I downgrade moonshot-ui to avoid Bug 1709316, the
  moonshot-gss-eap package appears to cause a segv in the ssh process
  during a call like this:

  ssh -Kv <email address hidden><mailto:<email address hidden>>
  :
  :
  debug1: Next authentication method: gssapi-keyex
  debug1: No valid Key exchange context
  debug1: Next authentication method: gssapi-with-mic
  Segmentation fault (core dumped)

  This does not happen when I downgrade to 0.9.5-1.

  A virtual machine (Virtual Box 5.1) can be provided that demonstrates
  this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/moonshot/+bug/1709337/+subscriptions