SELinux and sshd
So I've started using the new Fedora 16 on my main media server (previously F14) and decided to try something new this time. I've always set SELinux to permissive which is a bad idea normally for anything public (which this server isn't but I still want it). Anyway I believe I was testing something before I left for the holidays and ran
which disables SELinux. I guess at some point it turned back on somehow and I was locked out of ssh. I dug through my logs (/var/log/messages, /var/log/audit/audit.log) and didn't find much but then ran
and tried to log in via ssh again. Well I found a hint of what was going wrong because I found the following secure log errors.
I thought maybe it was an SELinux context thing and ran
which had no effect. Finally after I felt I've exhausted my local resources I turned to google. I googled "selinux ssh could not get shadow information for *" without quotes.
Clicked on the first link which was this one. Read the whole thread and at the bottom the person resolved it by removing /etc/ssh/ and then reinstalling openssh-server. This, by the way, is the dumbest solution ever and anytime someone reinstalls or reboots to fix something in Linux just means that the problem will crop up again. So our journey continues.
The next link I click on was a redhat ticket. I rebuilt my policy database by running "semodule -DB" but that had no effect. It wasn't until I got to the bottom of the thread where the user posted back with their solution. Apparently SSHD doesn't use PAM (Pluggable Authentication Modules) by default. It was commented out in their installation so I checked mine. Sure enough the setting "UsePAM" was commented out so I uncommented it.
The odd thing about it is that I had uncommented another setting "PasswordAuthentication yes" and thought I had resolved this. That's what I get for not reading the entire config the first time I configured it.
For those who are curious I have set the following changes away from defaults on my sshd_config.
If you use PKAuth (public key authentication) then you don't want the ChallengeResponseAuthentication set to no.
In addition to that, for samba, I had to allow a few extra SELinux rules which was a little pain.
That was my adventure after the holidays.
Code:
setenforce 0
Code:
tail -f /var/log/secure
Code:
Jan 2 17:11:49 stealth sshd[9225]: error: Could not get shadow information for sam Jan 2 17:11:49 stealth sshd[9225]: Failed password for sam from 127.0.0.1 port 55123 ssh2
Code:
ls -Z /etc/ssh/ restorecon -R /etc/ssh/ systemctl restart sshd.service
Clicked on the first link which was this one. Read the whole thread and at the bottom the person resolved it by removing /etc/ssh/ and then reinstalling openssh-server. This, by the way, is the dumbest solution ever and anytime someone reinstalls or reboots to fix something in Linux just means that the problem will crop up again. So our journey continues.
The next link I click on was a redhat ticket. I rebuilt my policy database by running "semodule -DB" but that had no effect. It wasn't until I got to the bottom of the thread where the user posted back with their solution. Apparently SSHD doesn't use PAM (Pluggable Authentication Modules) by default. It was commented out in their installation so I checked mine. Sure enough the setting "UsePAM" was commented out so I uncommented it.
Code:
UsePAM yes
For those who are curious I have set the following changes away from defaults on my sshd_config.
Code:
PermitRootLogin no AllowGroups wheel ChallengeResponseAuthentication no UsePAM yes
In addition to that, for samba, I had to allow a few extra SELinux rules which was a little pain.
Code:
setsebool -P samba_export_all_ro 1 setsebool -P samba_export_all_rw 1 man samba_selinux chcon -R -t samba_share_t /my/share
Total Comments 1
Comments
-
I probably should have mentioned this but if you have the
Code:AllowGroups wheel
Here's an example of adding a user who can't ssh and then adding that user to a group so they can ssh.
Code:adduser test usermod -a -G wheel test
Posted 01-03-2012 at 10:14 PM by sag47
Updated 01-03-2012 at 10:15 PM by sag47