Bug 427329
| Summary: | Unable to login with password to sshd | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jan ONDREJ <ondrejj> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-03 14:54:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Do you have sshd setup to not use pam? sshd using pam does not need to read the shadow file directly, It uses a helper application to read the shadow file. Allowing sshd to read the shadow file directly is considered a potential security risk. If you use the interface auth_read_shadow(sshd_t) instead of the allow rule, the policy module should build and install. |
Description of problem: I am ubale to log in to my system using password (logging using ssh public key is working). This message is in /var/log/secure: Jan 3 06:54:46 work sshd[4235]: error: Could not get shadow information for MYLOGIN Jan 3 06:54:46 work sshd[4235]: Failed password for MYLOGIN from 15.197.150.60 port 44933 ssh2 Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-72.fc8 How reproducible: always Steps to Reproduce: 1. setenforce 1 2. log in to your system without pubkey usage Actual results: Permission denied (publickey,password,keyboard-interactive). Expected results: log in Additional info: After using of "semodule -DB" "audit2allow -l -a" shows: allow sshd_t shadow_t:file { read getattr }; but I am ubable to allow this: libsepol.check_assertion_helper: neverallow violated by allow sshd_t shadow_t:file { read };