On 01/24/2010 11:11 PM, John Poelstra wrote: > Daniel J Walsh said the following on 01/21/2010 05:05 AM Pacific Time: >> On 01/20/2010 11:35 PM, John Poelstra wrote: >>> >>> Where else should I be looking? >>> >>> It is very clear that I can log in remotely on the non-standard port w/ >>> selinux disabled and that it will not work when selinux is enabled. >>> >>> John >> ausearch -m avc -ts today >> >> Should show you all of the AVC messages that you received today. If >> you are using auditing. >> >> ausearch -m avc >> >> Will show you all avc's that your system has logged >> >> ausearch -m avc | audit2allow >> >> Will give you the audit rules. >> >> If you have been in permissive mode for a while, the log messages >> might have disappeared. >> >> setenforce 1 >> setenforce 0 >> >> Will cause avc messages to show up again. > > The root of the problem seems to be that there are no AVC messages. All > of our previous discussion has centered around creating a new policy for > them so it appears I need a different fix? > > I do see these errors in /var/log/secure on the server, but that is all. > > Jan 24 19:50:47 localhost sshd[1150]: Server listening on 0.0.0.0 port > 63000. > Jan 24 19:50:47 localhost sshd[1150]: Server listening on :: port 63000. > Jan 24 19:50:54 localhost sshd[1151]: Accepted publickey for jp from > 192.168.122.1 port 45292 ssh2 > Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session): > conversation failed > Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session): No > response to query: Would you like to enter a security context? [N] > Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session): Unable > to get valid context for jp > Jan 24 19:50:54 localhost sshd[1151]: pam_unix(sshd:session): session > opened for user jp by (uid=0) > Jan 24 19:50:54 localhost sshd[1151]: error: PAM: pam_open_session(): > Authentication failure > Jan 24 19:50:54 localhost sshd[1151]: error: ssh_selinux_setup_pty: > security_compute_relabel: Invalid argument > > --------------------------------- > Here is what hits /var/log/audit/audit.log > > type=USER_ACCT msg=audit(1264392255.965:73): user pid=1253 uid=0 auid=0 > ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='op=PAM:accounting acct="jp" exe="/usr/sbin/sshd" > hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success' > type=CRED_ACQ msg=audit(1264392255.995:74): user pid=1253 uid=0 auid=0 > ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd" > hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success' > type=LOGIN msg=audit(1264392255.996:75): login pid=1253 uid=0 old auid=0 > new auid=500 old ses=3 new ses=8 > type=USER_START msg=audit(1264392256.118:76): user pid=1253 uid=0 > auid=500 ses=8 > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='op=PAM:session_open acct="jp" exe="/usr/sbin/sshd" > hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=failed' > type=CRED_ACQ msg=audit(1264392256.125:77): user pid=1256 uid=0 auid=500 > ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd" > hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success' > type=USER_LOGIN msg=audit(1264392256.130:78): user pid=1253 uid=0 > auid=500 ses=8 > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='uid=500: > exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 > terminal=/dev/pts/2 res=success' > type=CRED_DISP msg=audit(1264392256.143:79): user pid=1253 uid=0 > auid=500 ses=8 > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd" > hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success' > > --------------------------------- > > > From the remote host it appears that a connection is made and then > immediately closed. > > $ ssh -p 63000 jp@xxxxxxxxxxxxxxx > Last login: Sun Jan 24 19:50:54 2010 from 192.168.122.1 > Connection to 192.168.122.214 closed. > > ------------------------------- > > I'm attaching my sshd config file if you want to try this out. As the > config file shows, I'm using a preshared public key and password use is > disabled as is root login. Run it by: > # /usr/sbin/sshd -f sshd_config > > If I disable selinux with setenforce 0, login works fine. ps -eZ | grep sshd -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
