Bug 119251

Summary: ssh cannot properly access ~/.Xauthority during remote login
Product: [Fedora] Fedora Reporter: G.Wolfe Woodbury <redwolfe>
Component: policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: pgraner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-04 06:51:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
avc messages for ssh connection
none
policy-source users file - ggw is admin/staff user none

Description G.Wolfe Woodbury 2004-03-27 08:50:26 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114

Description of problem:
ssh login from FC1 to FC2t1 yeilds an error about the .Xauthority file
access:
ggw:~ $ ssh -X tembo.private
ggw's password:
/usr/X11R6/bin/xauth:  timeout in locking authority file
/home/ggw/.Xauthority
[ggw@tembo ggw]$

It does allow the login, but subsequent attempts to use the forwarded
X connection fail noisily:

[ggw@tembo ggw]$ system-config-nfs
X11 connection rejected because of wrong authentication.
[ggw@tembo ggw]$ xhost
X11 connection rejected because of wrong authentication.
X connection to localhost:11.0 broken (explicit kill or server shutdown).
[ggw@tembo ggw]$


Version-Release number of selected component (if applicable):
1.9-15

How reproducible:
Always

Steps to Reproduce:
1. install from development w/policy-1.9-15
2. add users and set up ssh, etc...
3. login remotely and see description
    

Actual Results:  see description

Additional info:

see attached AVCs from /var/log/messages.
Comment 1 G.Wolfe Woodbury 2004-03-27 08:52:39 UTC 
Created attachment 98899 [details]
avc messages for ssh connection
Comment 2 Daniel Walsh 2004-03-29 16:49:27 UTC 
WHen you login what is the id of ggw?

It looks like it is running as user_t but logging into a home dir that
is marked staff_t?
Comment 3 G.Wolfe Woodbury 2004-03-29 17:45:54 UTC 
Created attachment 98939 [details]
policy-source users file - ggw is admin/staff user

user ggw is an admin/staff user.
Comment 4 Daniel Walsh 2004-03-29 17:59:03 UTC 
user ggw  roles  { staff_r sysadm_r user_r };
should be
user ggw  roles  { staff_r sysadm_r system_r };
Not sure that will solve the problem but could you try it.

Dan
Comment 5 G.Wolfe Woodbury 2004-04-03 06:59:32 UTC 
seems to be solved by test2 and subsequent updates to policy.16
ssh no longer complains.