Bug 227733
Summary: | [LSPP] unable to ssh into a system as root/auditadm_r | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Matt Anderson <mra> | ||||
Component: | openssh | Assignee: | Tomas Mraz <tmraz> | ||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5.0 | CC: | iboverma, klaus, krisw, linda.knippers, sgrubb | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | RHSA-2007-0540 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-11-07 15:32:29 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 224041 | ||||||
Attachments: |
|
Description
Matt Anderson
2007-02-07 20:48:54 UTC
Make sure you have 'PermitRootLogin yes' in the /etc/ssh/sshd_config if you want to log in as root. For the records: ssh <user>/secadm_r@<host> isn't working either. Dan said it would be fixed in the next policy release. Actually we found that it would be better to update openssh to make it work. *** Bug 227770 has been marked as a duplicate of this bug. *** Created attachment 147769 [details]
Proposed patch by Dan Walsh
Fixed + improved auditing of role changes in openssh-4.3p2-17.el5. Built a package with the above patch and upgraded in a x86_64 box.. Logins as secadm_r and auditadm_r are working fine. The strange thing, though, is that on I can also log-in successfully in another similar box in which the only difference (in terms of patchlevel/package versions) is the patch above. In both boxes I have: [abat@zaphod ~]$ grep sshd_t /etc/selinux/mls/contexts/default_contexts system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 [abat@zaphod ~]$ And can't see also any difference in the way auditing works between the two boxes (for both login acceptance and denial). On the other hand, it seems acceptable the way it is now. Wonder if this was fixed in a previous ssh release or even in another updated package (maybe mcstrans and/or libselinux) My bad.. just now I saw that I was applying this same patch to the (stock) -16 release while it has already been applied and released in Dan's people page as release -17 (which I had blindly upgraded without checking the changelog) It's working fine and generating the additional USER_ROLE_CHANGE when successfully logging in with non-default role, while some more info is being reported in the USER_ERR record when the role change is denied. I think we may close this bug. Matt? An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0540.html |