Re: need howto for SELinux config--ssh on non-standard port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Daniel J Walsh said the following on 01/21/2010 05:05 AM Pacific Time:

On 01/20/2010 11:35 PM, John Poelstra wrote:


Where else should I be looking?

It is very clear that I can log in remotely on the non-standard port w/
selinux disabled and that it will not work when selinux is enabled.

John

ausearch -m avc -ts today

Should show you all of the AVC messages that you received today.  If you are using auditing.

ausearch -m avc

Will show you all avc's that your system has logged

ausearch -m avc | audit2allow

Will give you the audit rules.

If you have been in permissive mode for a while, the log messages might have disappeared.

setenforce 1
setenforce 0

Will cause avc messages to show up again.
The root of the problem seems to be that there are no AVC messages. All of our previous discussion has centered around creating a new policy for them so it appears I need a different fix? 

I do see these errors in /var/log/secure on the server, but that is all.
Jan 24 19:50:47 localhost sshd[1150]: Server listening on 0.0.0.0 port 63000. 
Jan 24 19:50:47 localhost sshd[1150]: Server listening on :: port 63000.
Jan 24 19:50:54 localhost sshd[1151]: Accepted publickey for jp from 192.168.122.1 port 45292 ssh2 Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session): conversation failed Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session): Unable to get valid context for jp Jan 24 19:50:54 localhost sshd[1151]: pam_unix(sshd:session): session opened for user jp by (uid=0) Jan 24 19:50:54 localhost sshd[1151]: error: PAM: pam_open_session(): Authentication failure Jan 24 19:50:54 localhost sshd[1151]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument 

---------------------------------
Here is what hits /var/log/audit/audit.log
type=USER_ACCT msg=audit(1264392255.965:73): user pid=1253 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="jp" exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success' type=CRED_ACQ msg=audit(1264392255.995:74): user pid=1253 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success' type=LOGIN msg=audit(1264392255.996:75): login pid=1253 uid=0 old auid=0 new auid=500 old ses=3 new ses=8 type=USER_START msg=audit(1264392256.118:76): user pid=1253 uid=0 auid=500 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="jp" exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=failed' type=CRED_ACQ msg=audit(1264392256.125:77): user pid=1256 uid=0 auid=500 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success' type=USER_LOGIN msg=audit(1264392256.130:78): user pid=1253 uid=0 auid=500 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/2 res=success' type=CRED_DISP msg=audit(1264392256.143:79): user pid=1253 uid=0 auid=500 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success' 

---------------------------------
From the remote host it appears that a connection is made and then immediately closed. 

$ ssh -p 63000 jp@xxxxxxxxxxxxxxx
Last login: Sun Jan 24 19:50:54 2010 from 192.168.122.1
Connection to 192.168.122.214 closed.

-------------------------------
I'm attaching my sshd config file if you want to try this out. As the config file shows, I'm using a preshared public key and password use is disabled as is root login. Run it by: 
# /usr/sbin/sshd -f sshd_config

If I disable selinux with setenforce 0, login works fine.

Port 63000
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no 
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
Subsystem	sftp	/usr/libexec/openssh/sftp-server

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux