Re: need howto for SELinux config--ssh on non-standard port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/24/2010 11:11 PM, John Poelstra wrote:
> Daniel J Walsh said the following on 01/21/2010 05:05 AM Pacific Time:
>> On 01/20/2010 11:35 PM, John Poelstra wrote:
>>>
>>> Where else should I be looking?
>>>
>>> It is very clear that I can log in remotely on the non-standard port w/
>>> selinux disabled and that it will not work when selinux is enabled.
>>>
>>> John
>> ausearch -m avc -ts today
>>
>> Should show you all of the AVC messages that you received today.  If
>> you are using auditing.
>>
>> ausearch -m avc
>>
>> Will show you all avc's that your system has logged
>>
>> ausearch -m avc | audit2allow
>>
>> Will give you the audit rules.
>>
>> If you have been in permissive mode for a while, the log messages
>> might have disappeared.
>>
>> setenforce 1
>> setenforce 0
>>
>> Will cause avc messages to show up again.
> 
> The root of the problem seems to be that there are no AVC messages.  All
> of our previous discussion has centered around creating a new policy for
> them so it appears I need a different fix?
> 
> I do see these errors in /var/log/secure on the server, but that is all.
> 
> Jan 24 19:50:47 localhost sshd[1150]: Server listening on 0.0.0.0 port
> 63000.
> Jan 24 19:50:47 localhost sshd[1150]: Server listening on :: port 63000.
> Jan 24 19:50:54 localhost sshd[1151]: Accepted publickey for jp from
> 192.168.122.1 port 45292 ssh2
> Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session):
> conversation failed
> Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session): No
> response to query: Would you like to enter a security context? [N]
> Jan 24 19:50:54 localhost sshd[1151]: pam_selinux(sshd:session): Unable
> to get valid context for jp
> Jan 24 19:50:54 localhost sshd[1151]: pam_unix(sshd:session): session
> opened for user jp by (uid=0)
> Jan 24 19:50:54 localhost sshd[1151]: error: PAM: pam_open_session():
> Authentication failure
> Jan 24 19:50:54 localhost sshd[1151]: error: ssh_selinux_setup_pty:
> security_compute_relabel: Invalid argument
> 
> ---------------------------------
> Here is what hits /var/log/audit/audit.log
> 
> type=USER_ACCT msg=audit(1264392255.965:73): user pid=1253 uid=0 auid=0
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:accounting acct="jp" exe="/usr/sbin/sshd"
> hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'
> type=CRED_ACQ msg=audit(1264392255.995:74): user pid=1253 uid=0 auid=0
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd"
> hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'
> type=LOGIN msg=audit(1264392255.996:75): login pid=1253 uid=0 old auid=0
> new auid=500 old ses=3 new ses=8
> type=USER_START msg=audit(1264392256.118:76): user pid=1253 uid=0
> auid=500 ses=8
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:session_open acct="jp" exe="/usr/sbin/sshd"
> hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=failed'
> type=CRED_ACQ msg=audit(1264392256.125:77): user pid=1256 uid=0 auid=500
> ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd"
> hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'
> type=USER_LOGIN msg=audit(1264392256.130:78): user pid=1253 uid=0
> auid=500 ses=8
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='uid=500:
> exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1
> terminal=/dev/pts/2 res=success'
> type=CRED_DISP msg=audit(1264392256.143:79): user pid=1253 uid=0
> auid=500 ses=8
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:setcred acct="jp" exe="/usr/sbin/sshd"
> hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'
> 
> ---------------------------------
> 
> 
> From the remote host it appears that a connection is made and then
> immediately closed.
> 
> $ ssh -p 63000 jp@xxxxxxxxxxxxxxx
> Last login: Sun Jan 24 19:50:54 2010 from 192.168.122.1
> Connection to 192.168.122.214 closed.
> 
> -------------------------------
> 
> I'm attaching my sshd config file if you want to try this out.  As the
> config file shows, I'm using a preshared public key and password use is
> disabled as is root login.  Run it by:
> # /usr/sbin/sshd -f sshd_config
> 
> If I disable selinux with setenforce 0, login works fine.
ps -eZ | grep sshd

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux