can't log into machine w/ ssh

can't log into machine w/ ssh

[Michael Luu]

i've added a new user to my selinux box, and i'm able to log in locally.
however, when log in remotely using ssh, the remote machine
automatically logs me out after i authenticate.  below are the output
from the console, and the output from the /var/log/secure file.

========================
ssh verbose output
========================
[mluu@mluu ~]$ ssh -v mike@myhost.com
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /home/mluu/.ssh/config
debug1: Applying options for *
debug1: /home/mluu/.ssh/config line 6: Deprecated option "FallBackToRsh"
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to myhost.com [192.168.1.225] port 22.
debug1: Connection established.
debug1: identity file /home/mluu/.ssh/id_rsa type 1
debug1: identity file /home/mluu/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1554/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'myhost.com' is known and matches the RSA host key.
debug1: Found key in /home/mluu/.ssh/known_hosts:42
debug1: bits set: 1585/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key /home/mluu/.ssh/id_rsa
debug1: authentications that can continue: publickey,password
debug1: try pubkey: /home/mluu/.ssh/id_rsa
debug1: authentications that can continue: publickey,password
debug1: try privkey: /home/mluu/.ssh/id_dsa
debug1: next auth method to try is password
mike@myhost.com's password: 
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req
debug1: Requesting authentication agent forwarding.
debug1: channel request 0: auth-agent-req@openssh.com
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to myhost.com closed by remote host.
Connection to myhost.com closed.
debug1: Transferred: stdin 0, stdout 0, stderr 121 bytes in 0.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 634.7
debug1: Exit status -1
========================
/var/log/secure log file
========================
Jul 22 17:30:35 balboa sshd[3817]: Could not reverse map address
192.168.1.240.
Jul 22 17:30:38 balboa sshd[3817]: Accepted password for mike from
192.168.1.240 port 32804 ssh2
Jul 22 17:30:38 balboa sshd[3817]: fatal: Could not obtain SID for user
mike
Jul 22 17:30:38 balboa sshd[3817]: syslogin_perform_logout: logout()
returned an error

-mike


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't log into machine w/ ssh

[Russell Coker]

On Tue, 22 Jul 2003 21:49, Michael Luu wrote:
> sshd[3817]: fatal: Could not obtain SID for user mike

In the default configuration if the user is authorised for only the role 
sysadm_r then this will be the result.

If you want to allow sysadm_r logins over ssh then you have to change the ssh 
policy, but I strongly recommend that you just permit the user to use another 
role.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: can't log into machine w/ ssh

[Michael Luu]

the user mike only has the user_r role.

mike

-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au] 
Sent: Wednesday, July 23, 2003 8:35 PM
To: Michael Luu; selinux@tycho.nsa.gov
Subject: Re: can't log into machine w/ ssh


On Tue, 22 Jul 2003 21:49, Michael Luu wrote:
> sshd[3817]: fatal: Could not obtain SID for user mike

In the default configuration if the user is authorised for only the role

sysadm_r then this will be the result.

If you want to allow sysadm_r logins over ssh then you have to change
the ssh 
policy, but I strongly recommend that you just permit the user to use
another 
role.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: can't log into machine w/ ssh

[Michael Luu]

when all else fails, rebooting the machine will make things work. :)
anyways, would you happen to know which services needs to be restarted
when i do add users and perform policy updates?

thanks,

mike

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
On Behalf Of Russell Coker
Sent: Wednesday, July 23, 2003 8:35 PM
To: Michael Luu; selinux@tycho.nsa.gov
Subject: Re: can't log into machine w/ ssh


On Tue, 22 Jul 2003 21:49, Michael Luu wrote:
> sshd[3817]: fatal: Could not obtain SID for user mike

In the default configuration if the user is authorised for only the role

sysadm_r then this will be the result.

If you want to allow sysadm_r logins over ssh then you have to change
the ssh 
policy, but I strongly recommend that you just permit the user to use
another 
role.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with the words "unsubscribe selinux" without quotes as the message.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't log into machine w/ ssh

[Russell Coker]

On Thu, 24 Jul 2003 13:17, Michael Luu wrote:
> the user mike only has the user_r role.

Run "grep ssh /etc/security/default_contexts" and check what's in there.  It 
should include user_r:user_t in the sshd_t line.

Also make sure that sshd is running as sshd_t.

Then check for avc denied messages.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't log into machine w/ ssh

[Russell Coker]

On Thu, 24 Jul 2003 13:54, Michael Luu wrote:
> when all else fails, rebooting the machine will make things work. :)
> anyways, would you happen to know which services needs to be restarted
> when i do add users and perform policy updates?

Nothing needs to be restarted.

I guess that you had sshd running in the wrong domain, and that when you 
rebooted it was started in the right domain.

You have to use run_init to start daemons...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: can't log into machine w/ ssh

[Michael Luu]

thanks for your help!

mike

-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au] 
Sent: Thursday, July 24, 2003 11:11 AM
To: Michael Luu; selinux@tycho.nsa.gov
Subject: Re: can't log into machine w/ ssh


On Thu, 24 Jul 2003 13:54, Michael Luu wrote:
> when all else fails, rebooting the machine will make things work. :) 
> anyways, would you happen to know which services needs to be restarted

> when i do add users and perform policy updates?

Nothing needs to be restarted.

I guess that you had sshd running in the wrong domain, and that when you

rebooted it was started in the right domain.

You have to use run_init to start daemons...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: can't log into machine w/ ssh

[Dean Anderson]

Actaully, you can only use run_init to run the rc scripts, and things run
directly by init. Only the RC scripts can start daemons. I also tried to
use run_init to directly start daemons, but it misses the transition from
init_t to initrc_t to sshd_t followed by init running the scripts:

domain_auto_trans(init_t, initrc_exec_t, initrc_t)
domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)

The correct way to restart daemons is to use run_init to run the
/etc/rc.d/init.d/<svc> restart script.  This is problematic for things
that are started out of rc.local. Possibly, separate rules could be made
for rc.local programs along the lines of  doamin_auto_trans(init_t,
sshd_exec_t, sshd_t)  or perhaps a run_initrc program.

Though, probably, its better to create a separate rc script for its admin
benefits...

		--Dean

On Thu, 24 Jul 2003, Michael Luu wrote:

> thanks for your help!
>
> mike
>
> -----Original Message-----
> From: Russell Coker [mailto:russell@coker.com.au]
> Sent: Thursday, July 24, 2003 11:11 AM
> To: Michael Luu; selinux@tycho.nsa.gov
> Subject: Re: can't log into machine w/ ssh
>
>
> On Thu, 24 Jul 2003 13:54, Michael Luu wrote:
> > when all else fails, rebooting the machine will make things work. :)
> > anyways, would you happen to know which services needs to be restarted
>
> > when i do add users and perform policy updates?
>
> Nothing needs to be restarted.
>
> I guess that you had sshd running in the wrong domain, and that when you
>
> rebooted it was started in the right domain.
>
> You have to use run_init to start daemons...
>
> --
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
> packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
>
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.