LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Blogs > sag47
User Name
Password

Notices

Rate this Entry

SELinux and sshd

Posted 01-02-2012 at 04:55 PM by sag47
Updated 08-05-2012 at 12:58 AM by sag47

So I've started using the new Fedora 16 on my main media server (previously F14) and decided to try something new this time. I've always set SELinux to permissive which is a bad idea normally for anything public (which this server isn't but I still want it). Anyway I believe I was testing something before I left for the holidays and ran
Code:
setenforce 0
which disables SELinux. I guess at some point it turned back on somehow and I was locked out of ssh. I dug through my logs (/var/log/messages, /var/log/audit/audit.log) and didn't find much but then ran
Code:
tail -f /var/log/secure
and tried to log in via ssh again. Well I found a hint of what was going wrong because I found the following secure log errors.

Code:
Jan  2 17:11:49 stealth sshd[9225]: error: Could not get shadow information for sam
Jan  2 17:11:49 stealth sshd[9225]: Failed password for sam from 127.0.0.1 port 55123 ssh2
I thought maybe it was an SELinux context thing and ran
Code:
ls -Z /etc/ssh/
restorecon -R /etc/ssh/
systemctl restart sshd.service
which had no effect. Finally after I felt I've exhausted my local resources I turned to google. I googled "selinux ssh could not get shadow information for *" without quotes.

Clicked on the first link which was this one. Read the whole thread and at the bottom the person resolved it by removing /etc/ssh/ and then reinstalling openssh-server. This, by the way, is the dumbest solution ever and anytime someone reinstalls or reboots to fix something in Linux just means that the problem will crop up again. So our journey continues.

The next link I click on was a redhat ticket. I rebuilt my policy database by running "semodule -DB" but that had no effect. It wasn't until I got to the bottom of the thread where the user posted back with their solution. Apparently SSHD doesn't use PAM (Pluggable Authentication Modules) by default. It was commented out in their installation so I checked mine. Sure enough the setting "UsePAM" was commented out so I uncommented it.
Code:
UsePAM yes
The odd thing about it is that I had uncommented another setting "PasswordAuthentication yes" and thought I had resolved this. That's what I get for not reading the entire config the first time I configured it.

For those who are curious I have set the following changes away from defaults on my sshd_config.
Code:
PermitRootLogin no
AllowGroups wheel
ChallengeResponseAuthentication no
UsePAM yes
If you use PKAuth (public key authentication) then you don't want the ChallengeResponseAuthentication set to no.

In addition to that, for samba, I had to allow a few extra SELinux rules which was a little pain.
Code:
setsebool -P samba_export_all_ro 1
setsebool -P samba_export_all_rw 1
man samba_selinux
chcon -R -t samba_share_t /my/share
That was my adventure after the holidays.
Views 5416 Comments 1
« Prev     Main     Next »
Total Comments 1

Comments

  1. Old Comment
    I probably should have mentioned this but if you have the
    Code:
    AllowGroups wheel
    setting then only users who belong to the wheel group are able to ssh into the system.

    Here's an example of adding a user who can't ssh and then adding that user to a group so they can ssh.
    Code:
    adduser test
    usermod -a -G wheel test
    Now user test can ssh into the system but other users can't. Mind you those commands are for RHEL/Fedora. If you have a different OS then you should research user management for your system.
    Posted 01-03-2012 at 10:14 PM by sag47 sag47 is offline
    Updated 01-03-2012 at 10:15 PM by sag47
 

  



All times are GMT -5. The time now is 04:11 AM.

Main Menu

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration