* can't log into machine w/ ssh
@ 2003-07-23 1:49 Michael Luu
2003-07-24 3:34 ` Russell Coker
0 siblings, 1 reply; 8+ messages in thread
From: Michael Luu @ 2003-07-23 1:49 UTC (permalink / raw)
To: selinux
i've added a new user to my selinux box, and i'm able to log in locally.
however, when log in remotely using ssh, the remote machine
automatically logs me out after i authenticate. below are the output
from the console, and the output from the /var/log/secure file.
========================
ssh verbose output
========================
[mluu@mluu ~]$ ssh -v mike@myhost.com
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /home/mluu/.ssh/config
debug1: Applying options for *
debug1: /home/mluu/.ssh/config line 6: Deprecated option "FallBackToRsh"
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to myhost.com [192.168.1.225] port 22.
debug1: Connection established.
debug1: identity file /home/mluu/.ssh/id_rsa type 1
debug1: identity file /home/mluu/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1554/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'myhost.com' is known and matches the RSA host key.
debug1: Found key in /home/mluu/.ssh/known_hosts:42
debug1: bits set: 1585/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key /home/mluu/.ssh/id_rsa
debug1: authentications that can continue: publickey,password
debug1: try pubkey: /home/mluu/.ssh/id_rsa
debug1: authentications that can continue: publickey,password
debug1: try privkey: /home/mluu/.ssh/id_dsa
debug1: next auth method to try is password
mike@myhost.com's password:
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req
debug1: Requesting authentication agent forwarding.
debug1: channel request 0: auth-agent-req@openssh.com
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to myhost.com closed by remote host.
Connection to myhost.com closed.
debug1: Transferred: stdin 0, stdout 0, stderr 121 bytes in 0.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 634.7
debug1: Exit status -1
========================
/var/log/secure log file
========================
Jul 22 17:30:35 balboa sshd[3817]: Could not reverse map address
192.168.1.240.
Jul 22 17:30:38 balboa sshd[3817]: Accepted password for mike from
192.168.1.240 port 32804 ssh2
Jul 22 17:30:38 balboa sshd[3817]: fatal: Could not obtain SID for user
mike
Jul 22 17:30:38 balboa sshd[3817]: syslogin_perform_logout: logout()
returned an error
-mike
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: can't log into machine w/ ssh
2003-07-23 1:49 can't log into machine w/ ssh Michael Luu
@ 2003-07-24 3:34 ` Russell Coker
2003-07-24 17:17 ` Michael Luu
2003-07-24 17:54 ` Michael Luu
0 siblings, 2 replies; 8+ messages in thread
From: Russell Coker @ 2003-07-24 3:34 UTC (permalink / raw)
To: Michael Luu, selinux
On Tue, 22 Jul 2003 21:49, Michael Luu wrote:
> sshd[3817]: fatal: Could not obtain SID for user mike
In the default configuration if the user is authorised for only the role
sysadm_r then this will be the result.
If you want to allow sysadm_r logins over ssh then you have to change the ssh
policy, but I strongly recommend that you just permit the user to use another
role.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: can't log into machine w/ ssh
2003-07-24 3:34 ` Russell Coker
@ 2003-07-24 17:17 ` Michael Luu
2003-07-24 18:10 ` Russell Coker
2003-07-24 17:54 ` Michael Luu
1 sibling, 1 reply; 8+ messages in thread
From: Michael Luu @ 2003-07-24 17:17 UTC (permalink / raw)
To: 'Russell Coker', selinux
the user mike only has the user_r role.
mike
-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au]
Sent: Wednesday, July 23, 2003 8:35 PM
To: Michael Luu; selinux@tycho.nsa.gov
Subject: Re: can't log into machine w/ ssh
On Tue, 22 Jul 2003 21:49, Michael Luu wrote:
> sshd[3817]: fatal: Could not obtain SID for user mike
In the default configuration if the user is authorised for only the role
sysadm_r then this will be the result.
If you want to allow sysadm_r logins over ssh then you have to change
the ssh
policy, but I strongly recommend that you just permit the user to use
another
role.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux
packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: can't log into machine w/ ssh
2003-07-24 3:34 ` Russell Coker
2003-07-24 17:17 ` Michael Luu
@ 2003-07-24 17:54 ` Michael Luu
2003-07-24 18:11 ` Russell Coker
1 sibling, 1 reply; 8+ messages in thread
From: Michael Luu @ 2003-07-24 17:54 UTC (permalink / raw)
To: 'Russell Coker', selinux
when all else fails, rebooting the machine will make things work. :)
anyways, would you happen to know which services needs to be restarted
when i do add users and perform policy updates?
thanks,
mike
-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
On Behalf Of Russell Coker
Sent: Wednesday, July 23, 2003 8:35 PM
To: Michael Luu; selinux@tycho.nsa.gov
Subject: Re: can't log into machine w/ ssh
On Tue, 22 Jul 2003 21:49, Michael Luu wrote:
> sshd[3817]: fatal: Could not obtain SID for user mike
In the default configuration if the user is authorised for only the role
sysadm_r then this will be the result.
If you want to allow sysadm_r logins over ssh then you have to change
the ssh
policy, but I strongly recommend that you just permit the user to use
another
role.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux
packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: can't log into machine w/ ssh
2003-07-24 17:17 ` Michael Luu
@ 2003-07-24 18:10 ` Russell Coker
0 siblings, 0 replies; 8+ messages in thread
From: Russell Coker @ 2003-07-24 18:10 UTC (permalink / raw)
To: Michael Luu, selinux
On Thu, 24 Jul 2003 13:17, Michael Luu wrote:
> the user mike only has the user_r role.
Run "grep ssh /etc/security/default_contexts" and check what's in there. It
should include user_r:user_t in the sshd_t line.
Also make sure that sshd is running as sshd_t.
Then check for avc denied messages.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: can't log into machine w/ ssh
2003-07-24 17:54 ` Michael Luu
@ 2003-07-24 18:11 ` Russell Coker
2003-07-24 18:44 ` Michael Luu
0 siblings, 1 reply; 8+ messages in thread
From: Russell Coker @ 2003-07-24 18:11 UTC (permalink / raw)
To: Michael Luu, selinux
On Thu, 24 Jul 2003 13:54, Michael Luu wrote:
> when all else fails, rebooting the machine will make things work. :)
> anyways, would you happen to know which services needs to be restarted
> when i do add users and perform policy updates?
Nothing needs to be restarted.
I guess that you had sshd running in the wrong domain, and that when you
rebooted it was started in the right domain.
You have to use run_init to start daemons...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: can't log into machine w/ ssh
2003-07-24 18:11 ` Russell Coker
@ 2003-07-24 18:44 ` Michael Luu
2003-07-24 19:51 ` Dean Anderson
0 siblings, 1 reply; 8+ messages in thread
From: Michael Luu @ 2003-07-24 18:44 UTC (permalink / raw)
To: 'Russell Coker', selinux
thanks for your help!
mike
-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au]
Sent: Thursday, July 24, 2003 11:11 AM
To: Michael Luu; selinux@tycho.nsa.gov
Subject: Re: can't log into machine w/ ssh
On Thu, 24 Jul 2003 13:54, Michael Luu wrote:
> when all else fails, rebooting the machine will make things work. :)
> anyways, would you happen to know which services needs to be restarted
> when i do add users and perform policy updates?
Nothing needs to be restarted.
I guess that you had sshd running in the wrong domain, and that when you
rebooted it was started in the right domain.
You have to use run_init to start daemons...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux
packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: can't log into machine w/ ssh
2003-07-24 18:44 ` Michael Luu
@ 2003-07-24 19:51 ` Dean Anderson
0 siblings, 0 replies; 8+ messages in thread
From: Dean Anderson @ 2003-07-24 19:51 UTC (permalink / raw)
To: Michael Luu; +Cc: 'Russell Coker', selinux
Actaully, you can only use run_init to run the rc scripts, and things run
directly by init. Only the RC scripts can start daemons. I also tried to
use run_init to directly start daemons, but it misses the transition from
init_t to initrc_t to sshd_t followed by init running the scripts:
domain_auto_trans(init_t, initrc_exec_t, initrc_t)
domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
The correct way to restart daemons is to use run_init to run the
/etc/rc.d/init.d/<svc> restart script. This is problematic for things
that are started out of rc.local. Possibly, separate rules could be made
for rc.local programs along the lines of doamin_auto_trans(init_t,
sshd_exec_t, sshd_t) or perhaps a run_initrc program.
Though, probably, its better to create a separate rc script for its admin
benefits...
--Dean
On Thu, 24 Jul 2003, Michael Luu wrote:
> thanks for your help!
>
> mike
>
> -----Original Message-----
> From: Russell Coker [mailto:russell@coker.com.au]
> Sent: Thursday, July 24, 2003 11:11 AM
> To: Michael Luu; selinux@tycho.nsa.gov
> Subject: Re: can't log into machine w/ ssh
>
>
> On Thu, 24 Jul 2003 13:54, Michael Luu wrote:
> > when all else fails, rebooting the machine will make things work. :)
> > anyways, would you happen to know which services needs to be restarted
>
> > when i do add users and perform policy updates?
>
> Nothing needs to be restarted.
>
> I guess that you had sshd running in the wrong domain, and that when you
>
> rebooted it was started in the right domain.
>
> You have to use run_init to start daemons...
>
> --
> http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux
> packages
> http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/ My home page
>
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2003-07-24 20:00 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-23 1:49 can't log into machine w/ ssh Michael Luu
2003-07-24 3:34 ` Russell Coker
2003-07-24 17:17 ` Michael Luu
2003-07-24 18:10 ` Russell Coker
2003-07-24 17:54 ` Michael Luu
2003-07-24 18:11 ` Russell Coker
2003-07-24 18:44 ` Michael Luu
2003-07-24 19:51 ` Dean Anderson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.