*Everything* is the latest, including the latest MS package for OpenSSH (other than the GSS-EAP and MS-UI packages - for obvious reasons). The bash history in the 'sysuser' user has everything you need... The command is ssh -Kv <email address hidden> (the local machine name).
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
From: <<email address hidden><mailto:<email address hidden>>> on behalf of Dan Breslau <<email address hidden><mailto:<email address hidden>>>
Reply-To: Bug 1709337 <<email address hidden><mailto:<email address hidden>>>
Date: Tuesday, 8 August 2017 at 23:17
To: Stefan Paetow <<email address hidden><mailto:<email address hidden>>>
Subject: [Bug 1709337] Re: moonshot-gss-eap-1.0.1-1.el6 causes RADIUS TLS error and SSH segv
Is this the same image that you just emailed me a link to on another
thread?
It would also be very helpful if you could include details about the
command[s] you're running when you see this problem. I gather that ssh
is one of those commands. I'm guessing that that's a moonshot-enabled
ssh; and if so, what version?
--
You received this bug notification because you are a member of Moonshot
Drivers, which is subscribed to Project Moonshot.
Matching subscriptions: Moonshot Drivers https://bugs.launchpad.net/bugs/1709337
Title:
moonshot-gss-eap-1.0.1-1.el6 causes RADIUS TLS error and SSH segv
Status in Project Moonshot:
New
Bug description:
When using moonshot-gss-eap-1.0.1-1.el6 on a new CentOS 6 box, I see
the following issue:
When used with the newest moonshot-ui package (see Bug 1709316) in a
mode that uses .gss_eap_id, RADIUS reports a TLS failure:
eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
eap_ttls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read)
eap_ttls: ERROR: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
eap_ttls: ERROR: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
eap_ttls: ERROR: System call (I/O) error (-1)
eap_ttls: ERROR: TLS receive handshake failed during operation
eap_ttls: ERROR: [eaptls process] = fail
eap: ERROR Failed continuing EAP TTLS (21) session. EAP sub-module failed
When I downgrade to 0.9.5-1, the problem goes away. If there is TLS
functionality that attempts to get trust anchors (and fails), perhaps
we should update the .gss_eap_id functionality to add a third line
that allows a trust anchor?
Additionally, when I downgrade moonshot-ui to avoid Bug 1709316, the
moonshot-gss-eap package appears to cause a segv in the ssh process
during a call like this:
ssh -Kv <email address hidden><mailto:<email address hidden>>
:
:
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
Segmentation fault (core dumped)
This does not happen when I downgrade to 0.9.5-1.
A virtual machine (Virtual Box 5.1) can be provided that demonstrates
this issue.
Yes.
*Everything* is the latest, including the latest MS package for OpenSSH (other than the GSS-EAP and MS-UI packages - for obvious reasons). The bash history in the 'sysuser' user has everything you need... The command is ssh -Kv <email address hidden> (the local machine name).
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: <email address hidden>
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
From: <<email address hidden> <mailto: <email address hidden>>> on behalf of Dan Breslau <<email address hidden> <mailto: <email address hidden>>> <mailto: <email address hidden>>> <mailto: <email address hidden>>> gss-eap- 1.0.1-1. el6 causes RADIUS TLS error and SSH segv
Reply-To: Bug 1709337 <<email address hidden>
Date: Tuesday, 8 August 2017 at 23:17
To: Stefan Paetow <<email address hidden>
Subject: [Bug 1709337] Re: moonshot-
Is this the same image that you just emailed me a link to on another
thread?
It would also be very helpful if you could include details about the
command[s] you're running when you see this problem. I gather that ssh
is one of those commands. I'm guessing that that's a moonshot-enabled
ssh; and if so, what version?
-- /bugs.launchpad .net/bugs/ 1709337
You received this bug notification because you are a member of Moonshot
Drivers, which is subscribed to Project Moonshot.
Matching subscriptions: Moonshot Drivers
https:/
Title: gss-eap- 1.0.1-1. el6 causes RADIUS TLS error and SSH segv
moonshot-
Status in Project Moonshot:
New
Bug description: gss-eap- 1.0.1-1. el6 on a new CentOS 6 box, I see
When using moonshot-
the following issue:
When used with the newest moonshot-ui package (see Bug 1709316) in a
mode that uses .gss_eap_id, RADIUS reports a TLS failure:
eap_ttls: ERROR: TLS Alert read:fatal:unknown CA SSL3_READ_ BYTES:tlsv1 alert unknown ca SSL3_READ_ BYTES:ssl handshake failure
eap_ttls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read)
eap_ttls: ERROR: error:14094418:SSL routines:
eap_ttls: ERROR: error:140940E5:SSL routines:
eap_ttls: ERROR: System call (I/O) error (-1)
eap_ttls: ERROR: TLS receive handshake failed during operation
eap_ttls: ERROR: [eaptls process] = fail
eap: ERROR Failed continuing EAP TTLS (21) session. EAP sub-module failed
When I downgrade to 0.9.5-1, the problem goes away. If there is TLS
functionality that attempts to get trust anchors (and fails), perhaps
we should update the .gss_eap_id functionality to add a third line
that allows a trust anchor?
Additionally, when I downgrade moonshot-ui to avoid Bug 1709316, the
moonshot-gss-eap package appears to cause a segv in the ssh process
during a call like this:
ssh -Kv <email address hidden> <mailto: <email address hidden>>
:
:
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
Segmentation fault (core dumped)
This does not happen when I downgrade to 0.9.5-1.
A virtual machine (Virtual Box 5.1) can be provided that demonstrates
this issue.
To manage notifications about this bug go to: /bugs.launchpad .net/moonshot/ +bug/1709337/ +subscriptions
https:/