Dear all,
Is it possible to use a different discovery service depending on the SP
that sent a SAML AuthnRequest to SATOSA, or do I have to do that in the
discovery service's frontend somehow?
Best wishes,
Matthew
--
"The lyf so short, the craft so longe to lerne."
I want to again say "thanks" to Ioannis, Rainer, Scott, and everyone
else for their help and instruction during the various IdentityPython
and SATOSA meetings at TIIME this week. Chris Phillips and I were able
to get a SATOSA 3.4.8 deployment working in Chris's idp-installer test
bed. To that end I want to share my notes from the process, at the end
of which an interested party could perform a basic, end-to-end test of
the current SATOSA release using SAMLtest (https://samltest.id/)
1. I installed Ubuntu Server 18.04.1; run the following commands as root
to install the prerequisites:
```sh
apt update
apt dist-upgrade -y
apt install -y git python3-dev build-essential python3-pip libffi-dev
libssl-dev xmlsec1 libyaml-dev libxml2-utils
pip3 install --upgrade virtualenv
virtualenv -p python3 /opt/satosa
/opt/satosa/bin/pip install --upgrade pip setuptools
/opt/satosa/bin/pip install SATOSA
```
This is essentially the Docker image build process, only it uses the
current SATOSA release (etc.) on PyPI.
2. Copy
https://github.com/IdentityPython/SATOSA/tree/v3.4.8/docker/attributemap
s to /opt/satosa/attributemaps.
I'm not sure this is strictly necessary as the built-in pysaml2
attribute maps should be used by default, but it's what the Docker image
build process does.
3. Copy https://github.com/IdentityPython/SATOSA/tree/v3.4.8/example to
/opt/satosa/etc.
4. SATOSA doesn't have a default configuration, so you must provide it
yourself.
```sh
cp /opt/satosa/etc/proxy_conf.yaml.example \
/opt/satosa/etc/proxy_conf.yaml
cp /opt/satosa/etc/internal_attributes.yaml.example \
/opt/satosa/etc/internal_attributes.yaml
cp /opt/satosa/etc/plugins/frontends/saml2_frontend.yaml.example \
/opt/satosa/etc/plugins/frontends/saml2_frontend.yaml
cp /opt/satosa/etc/plugins/backends/saml2_backend.yaml.example \
/opt/satosa/etc/plugins/backends/saml2_backend.yaml
cp /opt/satosa/etc/plugins/microservices/static_attributes.yaml.example
\
/opt/satosa/etc/plugins/microservices/static_attributes.yaml
```
5. You may change the proxy URL (the value of BASE in
/opt/satosa/etc/proxy_conf.yaml), but it _must_ be a method plus
hostname without any trailing slash or path components, e.g.,
`https://proxy.example.com`, not `https://proxy.example.com/` nor
`https://proxy.example.com/satosa`. SATOSA must be hosted at the root
of your web site.
6. Comment out the `idp_blacklist_file` and `disco_srv` settings in
/opt/satosa/etc/plugins/backends/saml2_backend.yaml.
7. Generate IdP, SP, metadata signing, and web site keying material:
```sh
for i in frontend backend metadata https; do
openssl req -batch -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout /opt/satosa/etc/$i.key -out /opt/satosa/etc/$i.crt \
-subj /CN=proxy.example.com
done
```
8. Download the SAMLtest metadata.
```sh
curl https://samltest.id/saml/sp > /opt/satosa/etc/sp.xml
curl https://samltest.id/saml/idp > /opt/satosa/etc/idp.xml
```
9. Generate the proxy metadata. (How you do this changes in future
releases of SATOSA.)
```sh
. /opt/satosa/bin/activate
cd /opt/satosa/etc
satosa-saml-metadata proxy_conf.yaml metadata.key metadata.crt
--split-frontend --split-backend --dir /opt/satosa/etc
xmllint --format /opt/satosa/etc/Saml2IDP_0.xml >
/opt/satosa/etc/proxy-idp.xml
xmllint --format /opt/satosa/etc/Saml2_0.xml >
/opt/satosa/etc/proxy-sp.xml
```
10. Edit the proxy metadata files to remove the `<ns1:Signature>`
element, else SAMLtest will be unable to load them due to an invalid
signature.
11. Upload the proxy metadata to SAMLtest
(https://samltest.id/upload.php)
12. SAMLtest doesn't release the eduPerson Targeted ID attribute, so
you'll need to change the last three lines of
/opt/satosa/etc/internal_attributes.yaml to the following (and before
anyone says anything, NEVER USE AN EMAIL ADDRESS AS AN IDENTIFIER---this
is just a quick hack to get SATOSA working):
```
hash: [mail]
user_id_from_attrs: [mail]
user_id_to_attr: mail
```
13. Start SATOSA:
```sh
. /opt/satosa/bin/activate
cd /opt/satosa/etc
gunicorn -b0.0.0.0:443 --keyfile https.key --certfile https.crt
satosa.wsgi:app
```
14. At this point you should be able to perform an IdP test
(https://samltest.id/start-idp-test/) by specifying the entity ID of the
proxy's front end, e.g., https://example.com/Saml2IDP/proxy.xml. The
SAMLtest SP will request authentication by your proxy IdP, causing your
proxy SP to request authentication by the SAMLtest IdP. If everything
works right, you will end up back at the SAMLtest SP:
SAMLtest SP ---AuthnRequest---> SATOSA front end (IdP)/back end (SP)
---AuthnRequest---> SAMLtest IdP
SAMLtest SP <---AuthnResponse--- SATOSA front end (IdP)/back end (SP)
<---AuthnResponse--- SAMLtest IdP
I hope this helps other adopters. If you have any questions, please
reply on list so everyone can benefit from the discussion.
Best wishes,
Matthew
--
"The lyf so short, the craft so longe to lerne."
Not knowing whether my satosa instance is fully working yet (see my
other thread) I'm now continuing to try to get the application
(eduMEET) to work with satosa's oidc frontend, as per the app's
published config example:
https://github.com/havfo/multiparty-meeting/blob/master/server/config/confi…
So I've made up a client_id and client_secret on the RP side and
provided the client with an issuerURL (base URL of satosa), let it
request all the scopes in the world and set its own redirect_uri.
With those all set I do see requests to satosa's .well-known endpoints
from the application in satosa logs, e.g.
Found registered endpoint: module name:'oidc', endpoint: .well-known/openid-configuration
(And of course accessing the endpoint myself I can see that it works
and produces JSON with its config.)
Now on the OP side (satosa oidc frontend) I haven't done any setup
for the client yet, so I guess the error in the log is to be expected:
Error in authn req: Unknown client_id
Now what would be the next steps to register that client?
The request from the client (according to satosa's logs) has these
query parameters (where cid and csec are the correct client_id and
client_secret, respectively):
client_id=cid&scope=openid+email+profile&response_type=code&redirect_uri=https%3A%2F%2Fexample.org%2Fauth%2Fcallback&state=e30%3D&client_secret=csec
My plugins/frontends/openid_connect_frontend.yaml looks like the
published example, essentially:
module: satosa.frontends.openid_connect.OpenIDConnectFrontend
name: oidc
config:
signing_key_path: /etc/satosa/oidc-provider.key
#db_uri: mongodb://db.example.com # optional: only support MongoDB, will default to in-memory storage if not specified
client_db_path: /etc/satosa/oidc-clients.json
provider:
client_registration_supported: True
response_types_supported: ['code', 'token', 'id_token']
subject_types_supported: ['public', 'pairwise']
scopes_supported: ['openid', 'email', 'profile']
Only that I tried to enable pretty much everything (all repose and
subject types, all scopes, client registration) since I had no idea
what the RP side wants, yet. (Seems I can remove all response types
except 'code', as per the log shown above.)
I don't have MongoDB set up yet since the comment above suggests an
in-memory store would be used, which is fine for my current testing.
And looking at _create_provider() at frontends/openid_connect.py the
code would use the file referenced by client_db_path if db_uri isn't
set even before falling back to storing it in a variable.
The file referenced in client_db_path exists, is writable by the user
satosa runs as, and currently contains only '{}' (without the quotes).
So IMO that should be sufficient.
Any hints on how to register the application?
The documenation is a bit sparse here
https://github.com/IdentityPython/SATOSA/blob/master/doc/README.md#frontend…
only mentioning that *without* dynamic client registration (which I
have enabled for now, but maybe the RP doesn't support it) I'd have to
manually create the data structures in MongoDB (or the file in
client_db_path) for my client, as per the oidc spec for Client
Registration Responses.
Could someone share a json sample to put into the file referenced by
client_db_path (if that's how it's supposed to work)?
Cheers,
-peter
Hello,
after completing another project I had some time to dig into the issue a
little bit deeper. I've come across this site:
https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full…
I turns out my interface was misconfigured. Disabling some offloads solved
the issue and overall loss has dropped significantly.
Thank you for your help!
Jakub
czw., 2 wrz 2021 o 16:02 Vlad Grigorescu <vlad at es.net> napisał(a):
> Jakub,
>
> Sorry for the delay on this, I was also out and then it fell off my radar.
>
> I think your answer lies in the missed_bytes field of the conn log. All of
> the connections from your ssh.log had traffic that Zeek did not see. Since
> Zeek has no way of knowing what transpired in those missed bytes, the SSH
> analyzer will never flag those connections as successful or failed.
>
> The mailing list or Slack might have some suggestions on how to determine
> the cause of your missed bytes, and what the solution might be.
>
> --Vlad
>
> On Thu, Aug 19, 2021 at 9:58 AM Jakub Niezabitowski <
> kuba.michal.n at gmail.com> wrote:
>
>> Hello,
>>
>> I will be out for about a week. Sorry for your inconvenience. If there
>> will be any update I will write as soon as I can.
>>
>> Thank you for your support.
>> Jakub
>>
>> czw., 19 sie 2021 o 15:25 Jakub Niezabitowski <kuba.michal.n at gmail.com>
>> napisał(a):
>>
>>> This is output of zeek -v:
>>> ./zeek version 4.1.0-dev.750
>>>
>>> ssh.log:
>>>
>>> {"ts":1629353969.834005,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629355319.70739,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629355326.102184,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629363511.517178,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629359395.93802,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629359403.032656,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629362225.296699,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629361952.911338,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368286.231978,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368323.887805,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368384.265589,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629369473.554433,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629369478.658333,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629363611.176921,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629363530.397083,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629366392.592983,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629365717.892757,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>>
>>> conn.log:
>>>
>>> {"ts":1629353969.732991,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1343.1681571006776,"orig_bytes":10765,"resp_bytes":1249389,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":372560,"history":"ShADadCGcggctgtcFRf","orig_pkts":2290,"orig_ip_bytes":128761,"resp_pkts":1878,"resp_ip_bytes":1005437}
>>>
>>> {"ts":1629355322.821648,"uid":"CBGul41OnibExQK9O6","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":88.76865911483765,"orig_bytes":0,"resp_bytes":1048,"conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^dt","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":4,"resp_ip_bytes":4400}
>>>
>>> {"ts":1629355319.682793,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3674.8831601142885,"orig_bytes":5049,"resp_bytes":2136781,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":9868,"history":"ShADadcgttR","orig_pkts":4225,"orig_ip_bytes":225141,"resp_pkts":4243,"resp_ip_bytes":2382129}
>>>
>>> {"ts":1629355326.076816,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3696.138195991516,"orig_bytes":8641,"resp_bytes":2227993,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":47024,"history":"ShADadcggttcGR","orig_pkts":4504,"orig_ip_bytes":243421,"resp_pkts":4411,"resp_ip_bytes":2454697}
>>>
>>> {"ts":1629363511.478,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":26.2694411277771,"orig_bytes":3497,"resp_bytes":45209,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":28080,"history":"ShADadCGcggFRft","orig_pkts":88,"orig_ip_bytes":6557,"resp_pkts":66,"resp_ip_bytes":23653}
>>>
>>> {"ts":1629363542.919383,"uid":"CpYDAh26XA0tnFjqE8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363548.264316,"uid":"CKIeJ02kp7bqmZHQGa","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363558.951295,"uid":"Cy70hG3xbe0YraNLQ","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363580.29527,"uid":"ClzNXf3uL9jMAKVFN8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363623.047142,"uid":"CM6AG64ej3HoBNCmV6","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629359395.898961,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2406.9871258735659,"orig_bytes":14529,"resp_bytes":1270377,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":231140,"history":"ShADadCGcggtcgTt","orig_pkts":2670,"orig_ip_bytes":152449,"resp_pkts":2337,"resp_ip_bytes":1196833}
>>>
>>> {"ts":1629359402.915081,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2431.203042984009,"orig_bytes":22009,"resp_bytes":3986829,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":401516,"history":"ShADadCGcgtTtgcGgc","orig_pkts":8571,"orig_ip_bytes":467389,"resp_pkts":8341,"resp_ip_bytes":4070913}
>>>
>>> {"ts":1629362225.253584,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":1795.6165931224824,"orig_bytes":23017,"resp_bytes":1719917,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":249976,"history":"ShAdDacggtctTg","orig_pkts":3808,"orig_ip_bytes":221809,"resp_pkts":3676,"resp_ip_bytes":1708085}
>>>
>>> {"ts":1629361952.865328,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2072.1008388996126,"orig_bytes":27917,"resp_bytes":1165281,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":322496,"history":"ShADadCGcgtTgctgc","orig_pkts":3158,"orig_ip_bytes":191313,"resp_pkts":2439,"resp_ip_bytes":1014905}
>>>
>>> {"ts":1629368286.226311,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":31.089575052261354,"orig_bytes":4095,"resp_bytes":7573,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGtFf","orig_pkts":50,"orig_ip_bytes":5807,"resp_pkts":35,"resp_ip_bytes":4377}
>>>
>>> {"ts":1629368323.882291,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":39.62539982795715,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":38,"orig_ip_bytes":4983,"resp_pkts":26,"resp_ip_bytes":3385}
>>>
>>> {"ts":1629368384.260782,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":95.20389604568482,"orig_bytes":4699,"resp_bytes":8045,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":78,"orig_ip_bytes":7855,"resp_pkts":48,"resp_ip_bytes":5441}
>>>
>>> {"ts":1629369473.551176,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4.286886930465698,"orig_bytes":3907,"resp_bytes":7169,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":5108,"history":"ShADadcgtFf","orig_pkts":42,"orig_ip_bytes":6111,"resp_pkts":29,"resp_ip_bytes":3661}
>>>
>>> {"ts":1629369478.65472,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1.974303960800171,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgtTCGFf","orig_pkts":39,"orig_ip_bytes":5535,"resp_pkts":27,"resp_ip_bytes":3909}
>>>
>>> {"ts":1629363611.137711,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":4322.946979999542,"orig_bytes":83385,"resp_bytes":4093093,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":1280948,"history":"ShADadcgcggttcTt","orig_pkts":9754,"orig_ip_bytes":592549,"resp_pkts":7344,"resp_ip_bytes":3280677}
>>>
>>> {"ts":1629363530.35789,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4444.6867852211,"orig_bytes":16493,"resp_bytes":2455029,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":99340,"history":"ShADadCGcgtgctT","orig_pkts":5389,"orig_ip_bytes":295961,"resp_pkts":5126,"resp_ip_bytes":2670001}
>>>
>>> {"ts":1629366392.574032,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5154.938705921173,"orig_bytes":14113,"resp_bytes":49097,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":17616,"history":"ShADadcgCGgc","orig_pkts":699,"orig_ip_bytes":49321,"resp_pkts":433,"resp_ip_bytes":55169}
>>>
>>> {"ts":1629365717.871532,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5869.062443971634,"orig_bytes":25417,"resp_bytes":123257,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":68778,"history":"ShADadcgCGTtgc","orig_pkts":1409,"orig_ip_bytes":97629,"resp_pkts":764,"resp_ip_bytes":96079}
>>>
>>> {"ts":1629378908.289358,"uid":"CgpvjA2SRGDerkjnt7","id.orig_h":"149.156.4.93","id.orig_p":33276,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":12.938737154006958,"orig_bytes":4699,"resp_bytes":8277,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6047,"history":"ShaGADdcgCtFf","orig_pkts":83,"orig_ip_bytes":8127,"resp_pkts":51,"resp_ip_bytes":5913}
>>>
>>> I also append new pcap in case logs for older one have been already
>>> rotated.
>>>
>>> Jakub
>>>
>>> czw., 19 sie 2021 o 13:42 Vlad Grigorescu <vlad at es.net> napisał(a):
>>>
>>>> When I run the PCAP through try.zeek.org, it reports auth_success as
>>>> T, https://try.zeek.org/#/tryzeek/saved/527994
>>>>
>>>> What version of Zeek? To verify that capture loss isn't an issue, can
>>>> you share the line from conn.log that you see for that connection?
>>>>
>>>> On Thu, Aug 19, 2021 at 5:47 AM Jakub Niezabitowski <
>>>> kuba.michal.n at gmail.com> wrote:
>>>>
>>>>> To add some context this is my node.cfg:
>>>>>
>>>>> [logger-1]
>>>>> type=logger
>>>>> host=localhost
>>>>> #
>>>>> [manager]
>>>>> type=manager
>>>>> host=localhost
>>>>> #
>>>>> [proxy-1]
>>>>> type=proxy
>>>>> host=localhost
>>>>> #
>>>>> [worker-1]
>>>>> type=worker
>>>>> host=localhost
>>>>> lb_procs=8
>>>>> lb_method=pf_ring
>>>>> pin_cpus=0,1,2,3,4,5,6,7
>>>>> interface=eth-mirror
>>>>>
>>>>> This machine can handle up to 8GBit/s of traffic, during capture it
>>>>> was about 1GBit/s.
>>>>>
>>>>>
>>>>> czw., 19 sie 2021 o 12:42 Jakub Niezabitowski <kuba.michal.n at gmail.com>
>>>>> napisał(a):
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> The data was gathered on same network interface as zeek. It was
>>>>>> filtered though to include only related traffic.
>>>>>>
>>>>>> I have logged in using host 149.156.4.93 to machine 149.156.9.136 and
>>>>>> executed few commands. Zeek is not showing auth_success field.
>>>>>>
>>>>>> After reading provided docs (
>>>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…)
>>>>>> I assume it could be related to capture losses but it shouldn't. The amount
>>>>>> of traffic was way below average.
>>>>>>
>>>>>> Thank you for your help!
>>>>>> Jakub
>>>>>>
>>>>>>
>>>>>> śr., 18 sie 2021 o 14:27 Vlad Grigorescu <vlad at es.net> napisał(a):
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Aug 18, 2021 at 03:27 Jakub Niezabitowski <
>>>>>>> kuba.michal.n at gmail.com> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> {"ts":1629151421.501644,"uid":"CUgRqs4tiJyHemzjs5","id.orig_h":"IP1","id.orig_p":41080,"id.resp_h":"IP2","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-Go","server":"SSH-2.0-OpenSSH_8.2p1
>>>>>>>> Ubuntu-4ubuntu0.2","cipher_alg":"aes128-gcm at openssh.com
>>>>>>>> ","mac_alg":"hmac-sha2-256-etm at openssh.com
>>>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256 at libssh.org
>>>>>>>> ","host_key_alg":"ecdsa-sha2-nistp256","host_key":"KEY1"}
>>>>>>>>
>>>>>>>
>>>>>>> This connection had “auth_attempts: 0,” so there was nothing to make
>>>>>>> a determination on.
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> {"ts":1629151420.84616,"uid":"CN6Tsq42Ki15BZF9J","id.orig_h":"IP3","id.orig_p":38122,"id.resp_h":"IP4","id.resp_p":22,"version":2,"auth_success":false,"auth_attempts":2,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-babeld-322814ef","cipher_alg":"
>>>>>>>> chacha20-poly1305 at openssh.com","mac_alg":"
>>>>>>>> hmac-sha2-256-etm at openssh.com
>>>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"rsa-sha2-512","host_key":"KEY2"}
>>>>>>>>
>>>>>>> This connection has “auth_success: false,” so it seems like a
>>>>>>> determination was made?
>>>>>>>
>>>>>>> The docs (
>>>>>>>
>>>>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…)
>>>>>>> have a bit more info, but essentially, yes it is expected, and Zeek goes to
>>>>>>> some lengths to avoid false positives and negatives, at the expense of true
>>>>>>> positives. However, that doesn’t seem to be the case here?
>>>>>>>
>>>>>>> —Vlad
>>>>>>>
>>>>>>
Hi,
I have updated metadata_tostring_fix function in metadata.py. It's ugly but
it gets the job done:
```python
def metadata_tostring_fix(desc, nspair, xmlstring=""):
if not xmlstring:
xmlstring = desc.to_string(nspair)
try:
if "\"xs:string\"" in xmlstring and XMLNSXS not in xmlstring:
xmlstring = xmlstring.replace(MDNS, MDNS + XMLNSXS)
except TypeError:
if b"\"xs:string\"" in xmlstring and bXMLNSXS not in xmlstring:
xmlstring = xmlstring.replace(bMDNS, bMDNS + bXMLNSXS)
xmlstring_decoded = xmlstring.decode("utf-8") #JN
xmlstring = re.sub(r'(<\/ns0:ContactPerson>)', r'\1<md:ContactPerson
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" contactType="other"
remd:contactType="http://refeds.org/metadata/contactType/security"
xmlns:remd="http://refeds.org/metadata"><md:GivenName>Security Response
Team</md:GivenName><md:EmailAddress>mailto:security at xxxxxxxxxxxxxxx</md:EmailAddress></md:ContactPerson>',
xmlstring_decoded) #JN
xmlstring = bytes(xmlstring, 'utf-8') #JN
return xmlstring
```
czw., 2 wrz 2021 o 16:05 Jakub Niezabitowski <kuba.michal.n at gmail.com>
napisał(a):
> Hello Ivan,
>
> thank you for your quick response. Adding assurance_certification works
> great!
>
> czw., 2 wrz 2021 o 15:55 Ivan Kanakarakis <ivan.kanak at gmail.com>
> napisał(a):
>
>> hello Jakub,
>>
>> ## refeds metadata
>>
>> the refeds metadata is not known to pysaml2, and thus there is no way
>> to do this.
>> We can look into adding support and exposing that as part of the
>> configuration.
>>
>> Until that is in place, you can add a post processing rule on your
>> deployment proceed to inject the namespace and element as needed.
>>
>>
>> ## assurance certification
>>
>> To add an assurance certification you can add the following in your
>> saml frontend configuration:
>>
>> ```yaml
>> module: ...
>> name: ...
>> config:
>> idp_config:
>> ...
>> assurance_certification:
>> - https://refeds.org/sirtfi
>> ...
>> ```
>>
>>
>> On Thu, 2 Sept 2021 at 15:25, Jakub Niezabitowski
>> <kuba.michal.n at gmail.com> wrote:
>> >
>> > Hello,
>> >
>> > does anybody know how to specify remd:contactType for Satosa front-end?
>> It is necessary for Refeds. Example:
>> >
>> > <md:ContactPerson contactType="other" remd:contactType="
>> http://refeds.org/metadata/contactType/security">
>> > <md:Company>XYZ</md:Company>
>> > <md:GivenName>ABC</md:GivenName>
>> > <md:SurName>Security</md:SurName>
>> > <md:EmailAddress>mailto:security at example.com</md:EmailAddress>
>> > </md:ContactPerson>
>> >
>> > I would be also very thankful for help in adding this static string to
>> metadata:
>> >
>> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>> ...>
>> > <md:Extensions>
>> > <mdattr:EntityAttributes
>> xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
>> > <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>> >
>> Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
>> > <saml:AttributeValue>https://refeds.org/sirtfi
>> </saml:AttributeValue>
>> > </saml:Attribute>
>> > </mdattr:EntityAttributes>
>> > </md:Extensions>
>> > </md:EntityDescriptor>
>> >
>> > Thank you in advance for any help
>> > Jakub
>> > _______________________________________________
>> > satosa-users mailing list
>> > satosa-users at lists.sunet.se
>> > https://lists.sunet.se/listinfo/satosa-users
>>
>>
>>
>> --
>> Ivan c00kiemon5ter Kanakarakis >:3
>>
>
Hello,
does anybody know how to specify remd:contactType for Satosa front-end? It
is necessary for Refeds. Example:
<md:ContactPerson contactType="other" remd:contactType="
http://refeds.org/metadata/contactType/security">
<md:Company>XYZ</md:Company>
<md:GivenName>ABC</md:GivenName>
<md:SurName>Security</md:SurName>
<md:EmailAddress>mailto:security at example.com</md:EmailAddress>
</md:ContactPerson>
I would be also very thankful for help in adding this static string to
metadata:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ...>
<md:Extensions>
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
<saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
</md:EntityDescriptor>
Thank you in advance for any help
Jakub
