SELinux and sshd

Posted 01-02-2012 at 04:55 PM by sag47
Updated 08-05-2012 at 12:58 AM by sag47

So I've started using the new Fedora 16 on my main media server (previously F14) and decided to try something new this time. I've always set SELinux to permissive which is a bad idea normally for anything public (which this server isn't but I still want it). Anyway I believe I was testing something before I left for the holidays and ran

Code:

setenforce 0

which disables SELinux. I guess at some point it turned back on somehow and I was locked out of ssh. I dug through my logs (/var/log/messages, /var/log/audit/audit.log) and didn't find much but then ran

Code:

tail -f /var/log/secure

and tried to log in via ssh again. Well I found a hint of what was going wrong because I found the following secure log errors.

Code:

Jan  2 17:11:49 stealth sshd[9225]: error: Could not get shadow information for sam
Jan  2 17:11:49 stealth sshd[9225]: Failed password for sam from 127.0.0.1 port 55123 ssh2

I thought maybe it was an SELinux context thing and ran

Code:

ls -Z /etc/ssh/
restorecon -R /etc/ssh/
systemctl restart sshd.service

which had no effect. Finally after I felt I've exhausted my local resources I turned to google. I googled "selinux ssh could not get shadow information for *" without quotes.

Clicked on the first link which was this one. Read the whole thread and at the bottom the person resolved it by removing /etc/ssh/ and then reinstalling openssh-server. This, by the way, is the dumbest solution ever and anytime someone reinstalls or reboots to fix something in Linux just means that the problem will crop up again. So our journey continues.

The next link I click on was a redhat ticket. I rebuilt my policy database by running "semodule -DB" but that had no effect. It wasn't until I got to the bottom of the thread where the user posted back with their solution. Apparently SSHD doesn't use PAM (Pluggable Authentication Modules) by default. It was commented out in their installation so I checked mine. Sure enough the setting "UsePAM" was commented out so I uncommented it.

Code:

UsePAM yes

The odd thing about it is that I had uncommented another setting "PasswordAuthentication yes" and thought I had resolved this. That's what I get for not reading the entire config the first time I configured it.

For those who are curious I have set the following changes away from defaults on my sshd_config.

Code:

PermitRootLogin no
AllowGroups wheel
ChallengeResponseAuthentication no
UsePAM yes

If you use PKAuth (public key authentication) then you don't want the ChallengeResponseAuthentication set to no.

In addition to that, for samba, I had to allow a few extra SELinux rules which was a little pain.

Code:

setsebool -P samba_export_all_ro 1
setsebool -P samba_export_all_rw 1
man samba_selinux
chcon -R -t samba_share_t /my/share

That was my adventure after the holidays.

Posted in SELinux Adventures

Views 12707 Comments 1

« Prev Main Next »

Total Comments 1

Comments

I probably should have mentioned this but if you have the

Code:

AllowGroups wheel

setting then only users who belong to the wheel group are able to ssh into the system.

Here's an example of adding a user who can't ssh and then adding that user to a group so they can ssh.

Code:

adduser test
usermod -a -G wheel test

Now user test can ssh into the system but other users can't. Mind you those commands are for RHEL/Fedora. If you have a different OS then you should research user management for your system.

Posted 01-03-2012 at 10:14 PM by sag47 sag47 is offline

Updated 01-03-2012 at 10:15 PM by sag47