Bug 471746
Summary: | add pam_sepermit to sshd pam config to block confined users in permissive mode | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dominick Grift <dominick.grift> |
Component: | openssh | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 10 | CC: | dwalsh, mgrepl, tmraz |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssh-5.1p1-5.fc11 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-02-12 15:41:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dominick Grift
2008-11-15 16:46:39 UTC
Please do not put multiple bugs into one bug report next time. The canonical name for the module is now pam_sepermit. The pam_selinux_permit.so is just a symlink for backward compatibility. 'man pam_sepermit' thus gives you the manual page. You must add %guest_u to sepermit.conf not %seuser guest_u. sshd is not set by default because the xguest user is not supposed to be allowed in by sshd. thanks for clarifying point one and two. sorry for the false alarm. about point 3 though: xguest_u is not allowed to use sshd, only gdm. true. however guest_u is not allowed to use gdm, only sshd... Ccing dwalsh. Dan, what do you think about guest_u? I do not think we should support passwordless ssh login. But what about adding pam_sepermit to sshd PAM configuration to block guest_u if SELinux is in permissive mode? I think adding it is fine and probably a good idea, blocking guest_u logins with SELinux disabled or permissive is also a good idea. I think we need to make sure xguest_u is only available via gdm and not sshd by default, and I am not sure pam_sepermit supports this. If I install the xguest package I do not want xguest user to be accessable via no password from the internet. I would use different pam config entry for sshd that would not allow passwordless logins. That is my only concern. I would like to get to the point where we could experiment with returning random UIDs from a range of uid. So you could setup a group of guest accounts that people could log into with temporary home and /tmp directories. Perhaps without a password. This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |