Hi Satosa users,
I’m having trouble with a SAML request being incorrectly inflated/decoded and then failing with the error “invalid signature” (which I think is misleading). I couldn’t see a known issue about this on GitHub. I’m running Satosa 8.2. Has anyone seen this and has a suggestion?
Both the good and bad AuthN Requests in the logs below validate fine at https://www.samltool.com/decode.php
Example, “bad” encoding from https://sptest.iamshowcase.com/instructions:
[1687184930.586361] [2023-06-19 14:28:50] [DEBUG]: read request data: {'SAMLRequest': 'fVFbb4IwFP4rTd/lUrVCIyRsZhmJZkbYHvZWSh1NoGU9ZdvPH6Jm7sXHk+98t3PWwLu2Z9ngGn2Qn4MEh366VgObgAQPVjPDQQHTvJPAnGBFttsy4gWst8YZYVp8Q7nP4ADSOmU0Rk/GCjn5JvjIW5AYoXyTYB7VhNdRTOpFSGkYrZYhJTSIBa9EFR/JPKLVKpSUYpQDDDLX4Lh2CSYBmc8COgvjMlwwErFl8I7RZmykND95Jrhxrgfm+6ruPSGt9kTjn0IT6H0A4/cGHEbZNeSj0TB00hbSfikhXw/bPwno3ajsKd5BY74FB+kJ0/lcwNhjfznMg9K10h/3b1Kdl4A9l+V+tn8pylEBvUkLU+ZxBafrU0o29bUozbNdcTFd+zdIep7+vzP9BQ=='}
...
[1687184930.589399] [2023-06-19 14:28:50] [DEBUG]: xmlstr: b'}Q[o\x820\x14\xfe+M\xdf\xe5R\xb5B#$lf\x19\x89fF\xd8\x1e\xf6VJ\x1dM\xa0e=e\xdb\xcf\x1f\xa2f\xee\xc5\xc7\x93\xef|\xb7s\xd6\xc0\xbb\xb6g\xd9\xe0\x1a}\x90\x9f\x83\x04\x87~\xbaV\x03\x9b\x80\x04\x0fV3\xc3A\x01\xd3\xbc\x93\xc0\x9c`E\xb6\xdb2\xe2\x05\xac\xb7\xc6\x19aZ|C\xb9\xcf\xe0\x00\xd2:e4FO\xc6\n9\xf9&\xf8\xc8[\x90\x18\xa1|\x93`\x1e\xd5\x84\xd7QL\xeaEHi\x18\xad\x96!%4\x88\x05\xafD\x15\x1f\xc9<\xa2\xd5*\x94\x94b\x94\x03\x0c2\xd7\xe0\xb8v\t&\x01\x99\xcf\x02:\x0b\xe32\\0\x12\xb1e\xf0\x8e\xd1fl\xa44?y&\xb8q\xae\x07\xe6\xfb\xaa\xee=!\xad\xf6D\xe3\x9fB\x13\xe8}\x00\xe3\xf7\x06\x1cF\xd95\xe4\xa3\xd10t\xd2\x16\xd2~)!_\x0f\xdb?\t\xe8\xdd\xa8\xec)\xdeAc\xbe\x05\x07\xe9\t\xd3\xf9\\\xc0\xd8c\x7f9\xcc\x83\xd2\xb5\xd2\x1f\xf7oR\x9d\x97\x80=\x97\xe5~\xb6\x7f)\xcaQ\x01\xbdI\x0bS\xe6q\x05\xa7\xebSJ6\xf5\xb5(\xcd\xb3]q1]\xfb7Hz\x9e\xfe\xbf3\xfd\x05', relay_state: None, sigalg: None, signature: None
Example “good” encoding from https://samltest.id/saml-test/:
[1687184991.342228] [2023-06-19 14:29:51] [DEBUG]: read request data: {'SAMLRequest': 'fZHdT4MwFMX/FdL3UejGJs0gwe3BJVPJQB98MaUUaQIt9hY//nv50DgTs7cmPed37j13C6xtOpr0tlYn8doLsM5H2yig00eEeqOoZiCBKtYKoJbTLLk9UuJ6tDPaaq4b5CQAwlip1U4r6FthMmHeJBcPp2OEams7oBiPRDsEuLLEWS2LQjfC1i6AxiOS4PQ+y5GzHyRSsZH265Vl53JhlMvriUOgw6PRiFIawS1yDvsIPa+qDd+EVyUjgR/6q6AI+bJaE1IUPqlKLxhkAL04KLBM2QgRjywX3nrhh7m/oiSkgf+EnPR7r2upSqleLpdQzCKgN3meLuYVHoWBafxBgOLtODCdgs1ZuZex7KdRFP/X3/jG0G3xGXsO6ujdADvsU91I/ukkTaPfd0YwKyLkIxzPlr8nj78A', 'RelayState': 'ss:mem:a06bd083cf6e2d94f28cccd470c97390dc2ccf20657a3be36e36bce4521e8cdd’}
...
[1687184991.345231] [2023-06-19 14:29:51] [DEBUG]: xmlstr: b'<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://samltest.id/Shibboleth.sso/SAML2/POST" Destination="https://idp.cern.ch/saml2sp/sso/redirect" ID="_4f7c798da2519145b9c3f622bb12fd05" IssueInstant="2023-06-19T14:29:51Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://samltest.id/saml/sp</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>', relay_state: None, sigalg: None, signature: None
Thanks for any help!
Hannah
Dear satosa users,
I'm running the debian docker of satosa v8.2 and tried setting CUSTOM_PLUGIN_MODULE_PATHS in proxy_conf.yaml in order to load custom modules (microservices). I would like to mount the microservices from the docker host. I tried relative paths and absolute paths within the docker container but satosa raises a ValueError that it cannot find the modules.
I could mount them like this "./modules/custom_service.py:/usr/local/lib/python3.11/site-packages/satosa/micro_services/custom_service.py" but I'd prefer to mount them with the configuration folder /etc/satosa/ or in a similar way
Anyone got a clue how to load custom microservices with the option?
Regards
canni
Since the documentation could not really help me, I now asked by e-mail:
I already have SATOSA running successfully in a pyenv and would now like to run the whole thing in a container on another host. However, I fail already when starting the container. I use Rocky Linux 9 and podman, my configuration is under /home/satosa/application. In addition to the plugin folder, there is also a folder for the metadata and the attribute map. The certificates for the saml2 frontend and backend are in the certs directory.
What do I have to bear in mind when starting the container?
And another question: I am looking for a plugin that denies users access to the application behind the proxy if certain attributes are missing. Is there already something available?
Any help is appreciated.
Regards
Stephan
Stephan Krinetzki
IT Center
Gruppe: Anwendungsbetrieb und Cloud
Abteilung: Systeme & Betrieb
RWTH Aachen University
Seffenter Weg 23
52074 Aachen
Tel: +49 241 80-24866
Fax: +49 241 80-22134
krinetzki(a)itc.rwth-aachen.de
www.itc.rwth-aachen.de
Social Media Kanäle des IT Centers:
https://blog.rwth-aachen.de/itc/https://www.facebook.com/itcenterrwthhttps://www.linkedin.com/company/itcenterrwthhttps://twitter.com/ITCenterRWTHhttps://www.youtube.com/channel/UCKKDJJukeRwO0LP-ac8x8rQ
Since the documentation could not really help me, I now asked by e-mail:
I already have SATOSA running successfully in a pyenv and would now like to run the whole thing in a container on another host. However, I fail already when starting the container. I use Rocky Linux 9 and podman, my configuration is under /home/satosa/application. In addition to the plugin folder, there is also a folder for the metadata and the attribute map. The certificates for the saml2 frontend and backend are in the certs directory.
What do I have to bear in mind when starting the container?
And another question: I am looking for a plugin that denies users access to the application behind the proxy if certain attributes are missing. Is there already something available?
Any help is appreciated.
Regards
Stephan
Stephan Krinetzki
IT Center
Gruppe: Anwendungsbetrieb und Cloud
Abteilung: Systeme & Betrieb
RWTH Aachen University
Seffenter Weg 23
52074 Aachen
Tel: +49 241 80-24866
Fax: +49 241 80-22134
krinetzki(a)itc.rwth-aachen.de
www.itc.rwth-aachen.de
Social Media Kanäle des IT Centers:
https://blog.rwth-aachen.de/itc/https://www.facebook.com/itcenterrwthhttps://www.linkedin.com/company/itcenterrwthhttps://twitter.com/ITCenterRWTHhttps://www.youtube.com/channel/UCKKDJJukeRwO0LP-ac8x8rQ
Hello everyone,
My company develops a web application that uses Keycloak to authenticate / manages users.
We would like to accept authentication from Edugain but Edugain is not only one federation: it is an interconnection of many federations.
Therefore, if I want to accept Edugain it means I have to import one by one each Edugain Federation and our end users have to choose the right one in a list.
Example:
- if I have these Edugain federations:
- Federation A
- Federation B
- Federation C
- Federation D
- I have to import / create an identity provider for each one in Keycloak:
- Federation A
- Federation B
- Federation C
- Federation D
- the end user has to choose the Edugain Federation in which he/she has an account: Federation C
This is not a good option in term or ergonomy because there are too many federations...
I discovered Satosa and maybe I'm wrong (as I was not able to implement it yet) but I have the feeling it could help us 🙂
The scheme I try to obtain is: our internal application -> Keycloak -> Satosa -> Edugain
The idea is this one:
- Keycloak should see only one Identity Provider 'Edugain': in reality it is Satosa behind
- and Satosa discovers the Edugain federations
I'm not comfortable with these technologies / these protocols (Keycloak, Satosa, SP, IDP, SAML, etc) and therefore I don't understand how to configure all components...
Is this someone did the same (Keycloak or Gluu + Satosa + Edugain) and could share with me an example of configurations please?
At least the Satosa configuration files (frontend, backend, etc).
Thank you very much :)
Bertrand
Hello,
I am deploying SaToSa version 8. But, it seems that the
backend module is failing to map attribute from the IdP to internal proxy attributes.
In fact, after the user's is authenticated, and accepted the consent, i got : KeyError 'mail' in
the satosa log.
What should i have missed in the configs ?
Below is part of the log
2022-09-09 20:04:11,840] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['email', 'emailAddress', 'mail']: no value found
satosa-proxy_1 | [2022-09-09 20:04:11,840] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['cn']: no value found
satosa-proxy_1 | [2022-09-09 20:04:11,841] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['sn', 'surname']: no value found
satosa-proxy_1 | [2022-09-09 20:04:11,841] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['eduPersonScopedAffiliation']: no value found
satosa-proxy_1 | [2022-09-09 20:04:11,841] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['eduPersonPrincipalName']: no value found
satosa-proxy_1 | [2022-09-09 20:04:11,842] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:722089a1-b43e-47b0-bd98-2888c96b3a10] backend received attributes:
satosa-proxy_1 | {}
satosa-proxy_1 | [2022-09-09 20:04:11,842] [ERROR] [satosa.base.run] [urn:uuid:722089a1-b43e-47b0-bd98-2888c96b3a10] Uncaught exception
satosa-proxy_1 | Traceback (most recent call last):
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 240, in run
satosa-proxy_1 | resp = self._run_bound_endpoint(context, spec)
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 180, in _run_bound_endpoint
satosa-proxy_1 | return spec(context)
satosa-proxy_1 | File "/src/satosa/src/satosa/backends/saml2.py", line 363, in authn_response
satosa-proxy_1 | return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 141, in _auth_resp_callback_func
satosa-proxy_1 | subject_id = [
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 142, in <listcomp>
satosa-proxy_1 | "".join(internal_response.attributes[attr]) for attr in
satosa-proxy_1 | KeyError: 'mail'
satosa-proxy_1 | [2022-09-09 20:04:11,843] [ERROR] [satosa.proxy_server.__call__] Unknown error
satosa-proxy_1 | Traceback (most recent call last):
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 240, in run
satosa-proxy_1 | resp = self._run_bound_endpoint(context, spec)
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 180, in _run_bound_endpoint
satosa-proxy_1 | return spec(context)
satosa-proxy_1 | File "/src/satosa/src/satosa/backends/saml2.py", line 363, in authn_response
satosa-proxy_1 | return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 141, in _auth_resp_callback_func
satosa-proxy_1 | subject_id = [
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 142, in <listcomp>
satosa-proxy_1 | "".join(internal_response.attributes[attr]) for attr in
satosa-proxy_1 | KeyError: 'mail'
satosa-proxy_1 |
satosa-proxy_1 | The above exception was the direct cause of the following exception:
satosa-proxy_1 |
satosa-proxy_1 | Traceback (most recent call last):
satosa-proxy_1 | File "/src/satosa/src/satosa/proxy_server.py", line 148, in __call__
satosa-proxy_1 | resp = self.run(context)
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 258, in run
satosa-proxy_1 | raise SATOSAUnknownError("Unknown error") from err
satosa-proxy_1 | satosa.exception.SATOSAUnknownError: Unknown error
Hi all,
I need to install Satosa under a path instead of the root of the
webserver, but I can not make endpoint routing work if BASE in
proxy_conf.yaml contains a path (ie. "https://example.com/path"). For
long I was thinking it was a configuration error on my side, but I
realised that also the flow (unit) tests fail if I change the BASE to
such a value.
I've filed a bug under
https://github.com/IdentityPython/SATOSA/issues/404, and I'm already
more than halfway fixing it, but I still can hardly believe that
everybody installs Satosa under "/".
Rewriting the request in the webserver breaks metadata generation,
because it needs to know the external URLs and not the rewritten ones.
It is a possibility to run metadata generation with a slightly different
configuration file, but I'd like to avoid maintaining two sets of
configurations if possible.
Has anybody run into a similar issue?
Kristof
Hello,
after completing another project I had some time to dig into the issue a
little bit deeper. I've come across this site:
https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full…
I turns out my interface was misconfigured. Disabling some offloads solved
the issue and overall loss has dropped significantly.
Thank you for your help!
Jakub
czw., 2 wrz 2021 o 16:02 Vlad Grigorescu <vlad at es.net> napisał(a):
> Jakub,
>
> Sorry for the delay on this, I was also out and then it fell off my radar.
>
> I think your answer lies in the missed_bytes field of the conn log. All of
> the connections from your ssh.log had traffic that Zeek did not see. Since
> Zeek has no way of knowing what transpired in those missed bytes, the SSH
> analyzer will never flag those connections as successful or failed.
>
> The mailing list or Slack might have some suggestions on how to determine
> the cause of your missed bytes, and what the solution might be.
>
> --Vlad
>
> On Thu, Aug 19, 2021 at 9:58 AM Jakub Niezabitowski <
> kuba.michal.n at gmail.com> wrote:
>
>> Hello,
>>
>> I will be out for about a week. Sorry for your inconvenience. If there
>> will be any update I will write as soon as I can.
>>
>> Thank you for your support.
>> Jakub
>>
>> czw., 19 sie 2021 o 15:25 Jakub Niezabitowski <kuba.michal.n at gmail.com>
>> napisał(a):
>>
>>> This is output of zeek -v:
>>> ./zeek version 4.1.0-dev.750
>>>
>>> ssh.log:
>>>
>>> {"ts":1629353969.834005,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629355319.70739,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629355326.102184,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629363511.517178,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629359395.93802,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629359403.032656,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629362225.296699,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629361952.911338,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368286.231978,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368323.887805,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368384.265589,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629369473.554433,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629369478.658333,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629363611.176921,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629363530.397083,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629366392.592983,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629365717.892757,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>>
>>> conn.log:
>>>
>>> {"ts":1629353969.732991,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1343.1681571006776,"orig_bytes":10765,"resp_bytes":1249389,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":372560,"history":"ShADadCGcggctgtcFRf","orig_pkts":2290,"orig_ip_bytes":128761,"resp_pkts":1878,"resp_ip_bytes":1005437}
>>>
>>> {"ts":1629355322.821648,"uid":"CBGul41OnibExQK9O6","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":88.76865911483765,"orig_bytes":0,"resp_bytes":1048,"conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^dt","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":4,"resp_ip_bytes":4400}
>>>
>>> {"ts":1629355319.682793,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3674.8831601142885,"orig_bytes":5049,"resp_bytes":2136781,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":9868,"history":"ShADadcgttR","orig_pkts":4225,"orig_ip_bytes":225141,"resp_pkts":4243,"resp_ip_bytes":2382129}
>>>
>>> {"ts":1629355326.076816,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3696.138195991516,"orig_bytes":8641,"resp_bytes":2227993,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":47024,"history":"ShADadcggttcGR","orig_pkts":4504,"orig_ip_bytes":243421,"resp_pkts":4411,"resp_ip_bytes":2454697}
>>>
>>> {"ts":1629363511.478,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":26.2694411277771,"orig_bytes":3497,"resp_bytes":45209,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":28080,"history":"ShADadCGcggFRft","orig_pkts":88,"orig_ip_bytes":6557,"resp_pkts":66,"resp_ip_bytes":23653}
>>>
>>> {"ts":1629363542.919383,"uid":"CpYDAh26XA0tnFjqE8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363548.264316,"uid":"CKIeJ02kp7bqmZHQGa","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363558.951295,"uid":"Cy70hG3xbe0YraNLQ","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363580.29527,"uid":"ClzNXf3uL9jMAKVFN8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363623.047142,"uid":"CM6AG64ej3HoBNCmV6","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629359395.898961,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2406.9871258735659,"orig_bytes":14529,"resp_bytes":1270377,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":231140,"history":"ShADadCGcggtcgTt","orig_pkts":2670,"orig_ip_bytes":152449,"resp_pkts":2337,"resp_ip_bytes":1196833}
>>>
>>> {"ts":1629359402.915081,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2431.203042984009,"orig_bytes":22009,"resp_bytes":3986829,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":401516,"history":"ShADadCGcgtTtgcGgc","orig_pkts":8571,"orig_ip_bytes":467389,"resp_pkts":8341,"resp_ip_bytes":4070913}
>>>
>>> {"ts":1629362225.253584,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":1795.6165931224824,"orig_bytes":23017,"resp_bytes":1719917,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":249976,"history":"ShAdDacggtctTg","orig_pkts":3808,"orig_ip_bytes":221809,"resp_pkts":3676,"resp_ip_bytes":1708085}
>>>
>>> {"ts":1629361952.865328,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2072.1008388996126,"orig_bytes":27917,"resp_bytes":1165281,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":322496,"history":"ShADadCGcgtTgctgc","orig_pkts":3158,"orig_ip_bytes":191313,"resp_pkts":2439,"resp_ip_bytes":1014905}
>>>
>>> {"ts":1629368286.226311,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":31.089575052261354,"orig_bytes":4095,"resp_bytes":7573,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGtFf","orig_pkts":50,"orig_ip_bytes":5807,"resp_pkts":35,"resp_ip_bytes":4377}
>>>
>>> {"ts":1629368323.882291,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":39.62539982795715,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":38,"orig_ip_bytes":4983,"resp_pkts":26,"resp_ip_bytes":3385}
>>>
>>> {"ts":1629368384.260782,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":95.20389604568482,"orig_bytes":4699,"resp_bytes":8045,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":78,"orig_ip_bytes":7855,"resp_pkts":48,"resp_ip_bytes":5441}
>>>
>>> {"ts":1629369473.551176,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4.286886930465698,"orig_bytes":3907,"resp_bytes":7169,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":5108,"history":"ShADadcgtFf","orig_pkts":42,"orig_ip_bytes":6111,"resp_pkts":29,"resp_ip_bytes":3661}
>>>
>>> {"ts":1629369478.65472,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1.974303960800171,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgtTCGFf","orig_pkts":39,"orig_ip_bytes":5535,"resp_pkts":27,"resp_ip_bytes":3909}
>>>
>>> {"ts":1629363611.137711,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":4322.946979999542,"orig_bytes":83385,"resp_bytes":4093093,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":1280948,"history":"ShADadcgcggttcTt","orig_pkts":9754,"orig_ip_bytes":592549,"resp_pkts":7344,"resp_ip_bytes":3280677}
>>>
>>> {"ts":1629363530.35789,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4444.6867852211,"orig_bytes":16493,"resp_bytes":2455029,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":99340,"history":"ShADadCGcgtgctT","orig_pkts":5389,"orig_ip_bytes":295961,"resp_pkts":5126,"resp_ip_bytes":2670001}
>>>
>>> {"ts":1629366392.574032,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5154.938705921173,"orig_bytes":14113,"resp_bytes":49097,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":17616,"history":"ShADadcgCGgc","orig_pkts":699,"orig_ip_bytes":49321,"resp_pkts":433,"resp_ip_bytes":55169}
>>>
>>> {"ts":1629365717.871532,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5869.062443971634,"orig_bytes":25417,"resp_bytes":123257,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":68778,"history":"ShADadcgCGTtgc","orig_pkts":1409,"orig_ip_bytes":97629,"resp_pkts":764,"resp_ip_bytes":96079}
>>>
>>> {"ts":1629378908.289358,"uid":"CgpvjA2SRGDerkjnt7","id.orig_h":"149.156.4.93","id.orig_p":33276,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":12.938737154006958,"orig_bytes":4699,"resp_bytes":8277,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6047,"history":"ShaGADdcgCtFf","orig_pkts":83,"orig_ip_bytes":8127,"resp_pkts":51,"resp_ip_bytes":5913}
>>>
>>> I also append new pcap in case logs for older one have been already
>>> rotated.
>>>
>>> Jakub
>>>
>>> czw., 19 sie 2021 o 13:42 Vlad Grigorescu <vlad at es.net> napisał(a):
>>>
>>>> When I run the PCAP through try.zeek.org, it reports auth_success as
>>>> T, https://try.zeek.org/#/tryzeek/saved/527994
>>>>
>>>> What version of Zeek? To verify that capture loss isn't an issue, can
>>>> you share the line from conn.log that you see for that connection?
>>>>
>>>> On Thu, Aug 19, 2021 at 5:47 AM Jakub Niezabitowski <
>>>> kuba.michal.n at gmail.com> wrote:
>>>>
>>>>> To add some context this is my node.cfg:
>>>>>
>>>>> [logger-1]
>>>>> type=logger
>>>>> host=localhost
>>>>> #
>>>>> [manager]
>>>>> type=manager
>>>>> host=localhost
>>>>> #
>>>>> [proxy-1]
>>>>> type=proxy
>>>>> host=localhost
>>>>> #
>>>>> [worker-1]
>>>>> type=worker
>>>>> host=localhost
>>>>> lb_procs=8
>>>>> lb_method=pf_ring
>>>>> pin_cpus=0,1,2,3,4,5,6,7
>>>>> interface=eth-mirror
>>>>>
>>>>> This machine can handle up to 8GBit/s of traffic, during capture it
>>>>> was about 1GBit/s.
>>>>>
>>>>>
>>>>> czw., 19 sie 2021 o 12:42 Jakub Niezabitowski <kuba.michal.n at gmail.com>
>>>>> napisał(a):
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> The data was gathered on same network interface as zeek. It was
>>>>>> filtered though to include only related traffic.
>>>>>>
>>>>>> I have logged in using host 149.156.4.93 to machine 149.156.9.136 and
>>>>>> executed few commands. Zeek is not showing auth_success field.
>>>>>>
>>>>>> After reading provided docs (
>>>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…)
>>>>>> I assume it could be related to capture losses but it shouldn't. The amount
>>>>>> of traffic was way below average.
>>>>>>
>>>>>> Thank you for your help!
>>>>>> Jakub
>>>>>>
>>>>>>
>>>>>> śr., 18 sie 2021 o 14:27 Vlad Grigorescu <vlad at es.net> napisał(a):
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Aug 18, 2021 at 03:27 Jakub Niezabitowski <
>>>>>>> kuba.michal.n at gmail.com> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> {"ts":1629151421.501644,"uid":"CUgRqs4tiJyHemzjs5","id.orig_h":"IP1","id.orig_p":41080,"id.resp_h":"IP2","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-Go","server":"SSH-2.0-OpenSSH_8.2p1
>>>>>>>> Ubuntu-4ubuntu0.2","cipher_alg":"aes128-gcm at openssh.com
>>>>>>>> ","mac_alg":"hmac-sha2-256-etm at openssh.com
>>>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256 at libssh.org
>>>>>>>> ","host_key_alg":"ecdsa-sha2-nistp256","host_key":"KEY1"}
>>>>>>>>
>>>>>>>
>>>>>>> This connection had “auth_attempts: 0,” so there was nothing to make
>>>>>>> a determination on.
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> {"ts":1629151420.84616,"uid":"CN6Tsq42Ki15BZF9J","id.orig_h":"IP3","id.orig_p":38122,"id.resp_h":"IP4","id.resp_p":22,"version":2,"auth_success":false,"auth_attempts":2,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-babeld-322814ef","cipher_alg":"
>>>>>>>> chacha20-poly1305 at openssh.com","mac_alg":"
>>>>>>>> hmac-sha2-256-etm at openssh.com
>>>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"rsa-sha2-512","host_key":"KEY2"}
>>>>>>>>
>>>>>>> This connection has “auth_success: false,” so it seems like a
>>>>>>> determination was made?
>>>>>>>
>>>>>>> The docs (
>>>>>>>
>>>>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…)
>>>>>>> have a bit more info, but essentially, yes it is expected, and Zeek goes to
>>>>>>> some lengths to avoid false positives and negatives, at the expense of true
>>>>>>> positives. However, that doesn’t seem to be the case here?
>>>>>>>
>>>>>>> —Vlad
>>>>>>>
>>>>>>
Hi,
I have updated metadata_tostring_fix function in metadata.py. It's ugly but
it gets the job done:
```python
def metadata_tostring_fix(desc, nspair, xmlstring=""):
if not xmlstring:
xmlstring = desc.to_string(nspair)
try:
if "\"xs:string\"" in xmlstring and XMLNSXS not in xmlstring:
xmlstring = xmlstring.replace(MDNS, MDNS + XMLNSXS)
except TypeError:
if b"\"xs:string\"" in xmlstring and bXMLNSXS not in xmlstring:
xmlstring = xmlstring.replace(bMDNS, bMDNS + bXMLNSXS)
xmlstring_decoded = xmlstring.decode("utf-8") #JN
xmlstring = re.sub(r'(<\/ns0:ContactPerson>)', r'\1<md:ContactPerson
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" contactType="other"
remd:contactType="http://refeds.org/metadata/contactType/security"
xmlns:remd="http://refeds.org/metadata"><md:GivenName>Security Response
Team</md:GivenName><md:EmailAddress>mailto:security at xxxxxxxxxxxxxxx</md:EmailAddress></md:ContactPerson>',
xmlstring_decoded) #JN
xmlstring = bytes(xmlstring, 'utf-8') #JN
return xmlstring
```
czw., 2 wrz 2021 o 16:05 Jakub Niezabitowski <kuba.michal.n at gmail.com>
napisał(a):
> Hello Ivan,
>
> thank you for your quick response. Adding assurance_certification works
> great!
>
> czw., 2 wrz 2021 o 15:55 Ivan Kanakarakis <ivan.kanak at gmail.com>
> napisał(a):
>
>> hello Jakub,
>>
>> ## refeds metadata
>>
>> the refeds metadata is not known to pysaml2, and thus there is no way
>> to do this.
>> We can look into adding support and exposing that as part of the
>> configuration.
>>
>> Until that is in place, you can add a post processing rule on your
>> deployment proceed to inject the namespace and element as needed.
>>
>>
>> ## assurance certification
>>
>> To add an assurance certification you can add the following in your
>> saml frontend configuration:
>>
>> ```yaml
>> module: ...
>> name: ...
>> config:
>> idp_config:
>> ...
>> assurance_certification:
>> - https://refeds.org/sirtfi
>> ...
>> ```
>>
>>
>> On Thu, 2 Sept 2021 at 15:25, Jakub Niezabitowski
>> <kuba.michal.n at gmail.com> wrote:
>> >
>> > Hello,
>> >
>> > does anybody know how to specify remd:contactType for Satosa front-end?
>> It is necessary for Refeds. Example:
>> >
>> > <md:ContactPerson contactType="other" remd:contactType="
>> http://refeds.org/metadata/contactType/security">
>> > <md:Company>XYZ</md:Company>
>> > <md:GivenName>ABC</md:GivenName>
>> > <md:SurName>Security</md:SurName>
>> > <md:EmailAddress>mailto:security at example.com</md:EmailAddress>
>> > </md:ContactPerson>
>> >
>> > I would be also very thankful for help in adding this static string to
>> metadata:
>> >
>> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>> ...>
>> > <md:Extensions>
>> > <mdattr:EntityAttributes
>> xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
>> > <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>> >
>> Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
>> > <saml:AttributeValue>https://refeds.org/sirtfi
>> </saml:AttributeValue>
>> > </saml:Attribute>
>> > </mdattr:EntityAttributes>
>> > </md:Extensions>
>> > </md:EntityDescriptor>
>> >
>> > Thank you in advance for any help
>> > Jakub
>> > _______________________________________________
>> > satosa-users mailing list
>> > satosa-users at lists.sunet.se
>> > https://lists.sunet.se/listinfo/satosa-users
>>
>>
>>
>> --
>> Ivan c00kiemon5ter Kanakarakis >:3
>>
>
