Bug 841693
| Summary: | SSHD Cannot authenticate YubiKey (SELinux prevents name_connect) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paul DeStefano <prd-fedora> |
| Component: | pam_yubico | Assignee: | Maxim Burgerhout <maxim> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | dennis, maxim, nb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-10-15 10:46:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Paul DeStefano
2012-07-19 21:37:38 UTC
Is there anything I can do to assist here? Can someone at least tell me if this is an SSHD problem or a pam_yubico problem? Sorry for the late response. The problem you describe is not with sshd or with pam_yubico, but with SELinux denying sshd to connect to the Yubico authentication servers. sshd is not usually allowed to initiate network connections. If you build this policy module, you get an SELinux boolean called ssh_can_network, that you can toggle to make things work again. You can download it from my fedorapeople site[1]. The .te file is the source code for the module, the .pp file is a compiled, loadable module that you can use directly. I'll try to check with the SELinux people whether we can include this in the policy permanently, but that might take some time. The module I wrote is crude and overly simple, but it gets the job done for now. [1] http://fedorapeople.org/~wzzrd/841693/ No problem. You're policy looks like a great solution. Thank you for posting the module source. I'm using a nearly identical one, myself. I can understand if it takes some time to get this module added to the permanent policy; but I like the boolean option and I assume that makes it easier to get approved. Please post here if there are objections to the policy as I am interested in what security holes may be opened by this solution. Status update This is fixed in Fedora's selinux-policy by this commit[1]. This commit will create a 'authlogin_yubikey' boolean, that can be used to allow or disallow sshd_t (and several other types, like login_t) to name_connect to http_port_t. Big thanks to Dan Walsh. A new release of selinux-policy for Fedora 18 will be out soon. Fix expected in selinux-policy-3.11.1-33.fc18.noarch. [1] http://git.fedorahosted.org/cgit/selinux-policy.git/patch/?id=944db72223a1d4137ad8470a4ded38441f97ac24 The boolean 'authlogin_yubikey' was added to the SELinux policy for Fedora 18. Flip it to 'on' to enjoy Yubikey logins. I'm closing this bug now. Please reopen is problem reoccurs or persists. This is great. I didn't expect this solution and I'm anxious to try it. But, can't this be released for F17? I'm afraid not: implementing the boolean was quite a significant change in the SELinux policy. Backporting this to the policy for F17 would be a lot of work. I don't think that is going to happen, especially since there is a viable workaround. But then again, it's not up to me. I only co-maintain pam_yubico, not the SELinux policy :) What's the workaround? Is there another bug where I can comment to the policy maintainers? This bug was introduced by the F17 policy pkg, so it seems clear that pkg needs to be updated with this patch. This was working in F15 and F16. |