| View previous topic :: View next topic |
| Author |
Message |
mtamizi
n00b
Joined: 23 Oct 2004
Posts: 18
|
 Posted: Wed Jan 05, 2005 9:54 pm Post subject: [SELinux] Trouble Logging in Remotely Using SSH |
 |
|
I'm having trouble with logging in remotely using SSH after copying my version of Hardened Gentoo with SELinux to a new hard drive. After copying the old drive to the new one, I rebooted and ran `make relabel`. Everything seems to work fine except for sshd, which worked before I swappep drives. I even tried following the instrucitons in http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?part=5&chap=3.
I tried the following based on the guide:
| Code: | # rlpkg openssh
# /etc/init.d/sshd restart |
I still get the following output for `sestatus -v`, which has the incorrect context type for /usr/sbin/sshd:
| Code: | ]SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Policy version: 15
Process contexts:
Current context: matin:sysadm_r:sysadm_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:initrc_t ###This should be system_u:system_r:sshd_t
File contexts:
Controlling term: matin:object_r:sysadm_devpts_t
/sbin/init system_u:object_r:init_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/bin/login system_u:object_r:login_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/bin/bash system_u:object_r:shell_exec_t
/bin/tcsh system_u:object_r:shell_exec_t
/bin/csh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/bin/sash system_u:object_r:shell_exec_t
/usr/bin/gdm system_u:object_r:bin_t
/usr/X11R6/bin/xdm system_u:object_r:bin_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t |
Is this the cause of the problem, if so, how do I fix it?
Last edited by mtamizi on Fri Jan 07, 2005 4:45 pm; edited 2 times in total |
|
| Back to top |
|
 |
mtamizi
n00b
Joined: 23 Oct 2004
Posts: 18
|
| Posted: Fri Jan 07, 2005 3:43 pm Post subject: |
|
|
The following shows my output for ssh -vvv localhost. I appreciate any help.
| Code: | $ ssh -vvv localhost
OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
.
.
.
Password:
debug3: packet_send2: adding 32 (len 26 padlen 6 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cfd -1)
debug3: channel 0: close_fds r 4 w 5 e 6 c -1
Connection to localhost closed by remote host.
Connection to localhost closed.
debug1: Transferred: stdin 0, stdout 0, stderr 81 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 3708.0
debug1: Exit status -1 |
|
|
| Back to top |
|
|
mtamizi
n00b
Joined: 23 Oct 2004
Posts: 18
|
| Posted: Fri Jan 07, 2005 4:48 pm Post subject: |
|
|
sshd log has:
| Code: | Jan 7 11:46:54 [sshd] Accepted keyboard-interactive/pam for matin from 127.0.0.1 port 38168 ssh2
Jan 7 11:46:54 [sshd] PAM pam_putenv: delete non-existent entry; XAUTHORITY
Jan 7 11:46:54 [sshd] fatal: Failed to get default security context for matin.
Jan 7 11:46:54 [sshd] PAM pam_putenv: delete non-existent entry; XAUTHORITY |
|
|
| Back to top |
|
|
mtamizi
n00b
Joined: 23 Oct 2004
Posts: 18
|
| Posted: Mon Jan 10, 2005 1:36 pm Post subject: |
|
|
I can get sshd to start i the proper context by using the following:
| Code: | | # runcon system_u:system_r:sshd_t /usr/sbin/sshd |
However, I still get the following error in my sshd log:
| Code: | | [sshd] fatal: Failed to get default security context for matin. |
What useful information can I gather from this? |
|
| Back to top |
|
|
Parksy
n00b
Joined: 02 Nov 2004
Posts: 57
Location: Waterloo, ON
|
| Posted: Wed Feb 02, 2005 1:25 am Post subject: |
|
|
| mtamizi wrote: | I can get sshd to start i the proper context by using the following:
| Code: | | # runcon system_u:system_r:sshd_t /usr/sbin/sshd |
However, I still get the following error in my sshd log:
| Code: | | [sshd] fatal: Failed to get default security context for matin. |
What useful information can I gather from this? |
I have resolved a problem similar to this one. I was getting that fatal error message when trying to log in with any non-root user.
I followed the handbook's troubleshooting section and didn't get any success initially. However, I have realized that my problem was not fixed because I was running
| Code: | | /etc/init.d/sshd restart |
instead of | Code: | | run_init /etc/init.d/sshd restart |
I'm running selinux in permissive mode. According to ssh still isn't labelled correctly, but it is working. |
|
| Back to top |
|
|
Ritter
n00b
Joined: 26 Nov 2003
Posts: 15
|
| Posted: Mon Apr 25, 2005 9:30 am Post subject: thanks |
|
|
| I wasn't able to login remotely after making a new policy and restarting sshd. I tried your suggestion and can now login fine, while the labeling didnt change at all. Can anyone explain for someone new to selinux what the difference was that resolved this? |
|
| Back to top |
|
|
vladgrigorescu
Guru
Joined: 11 Jan 2005
Posts: 360
|
| Posted: Mon Jan 16, 2006 10:46 pm Post subject: |
|
|
| Please add [Solved] to the title. Thanks! |
|
| Back to top |
|
|
|
Networking & Security
