Bug 906852
Summary: | No shell after successful ssh authentication | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gregor Hlawacek <gregor> |
Component: | pam | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 18 | CC: | mattias.ellert, mgrepl, mvadkert, plautrba, tmraz, tometzky+redhat |
Target Milestone: | --- | Keywords: | SELinux |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pam-1.1.6-4.fc18 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-14 03:31:31 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gregor Hlawacek
2013-02-01 17:25:47 UTC
Do you see anything related in the 'ausearch -m AVC' output? What messages from pam modules do you see in /var/log/secure? I will supply the info but not before Monday. The described problem prevents me from logging into the machine on the weekend :( var/log/messages Feb 4 08:37:25 ssp-ws081 systemd-logind[648]: New session 106 of user lawa. Feb 4 08:37:26 ssp-ws081 kernel: [225920.710166] type=1400 audit(1359963446.692:14): avc: denied { dyntransition } for pid=10793 comm="sshd" scontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Feb 4 08:37:26 ssp-ws081 systemd-logind[648]: Removed session 106. var/log/secure Feb 4 08:37:25 ssp-ws081 sshd[10784]: pam_unix(sshd:session): session opened for user lawa by (uid=0) ausearch -m AVC /var/log/audit/audit.log permissions should be 0600 or 0640 NOTE - using built-in logs: /var/log/audit/audit.log <no matches> However, I will reinstall from scratch there are too many other unresolved issues after upgrading from 17 to 18. I'll report back if it still occurs in a vanilla f18 Eventually I postpone trashing my system for a lillte while. I found out today that I can not login via the console too. I can login into X and open a terminal there and login via su to become root. However, if I press Ctrl-alt-F2 to get to the console I can not login neither as root nor as user. messages and secure just contain messages from logind that the login has been denied. Could this be related to the above problem? Gregor Please try to switch to SELinux permissive mode with 'setenforce 0' or with enforcing=0 as kernel parameter. Does it help? Also could you try to relabel your filesystem using '/usr/sbin/fixfiles onboot' and reboot? Hi Petr, I am afraid that I will go for my other solution than. Relabeling (and later on relabeling again) ... I think I install F18 from scratch than. This is on my work computer, svn server, ... I need that thing working thanks for the input. Gregor I think the same bug manifested on my system today. I can't login now, but I could just today at about 10:00 CET. This is cleanly installed Fedora 18, not an upgrade, so reinstalling from scratch won't necessarily help - so don't do this, Gregor. As it is probably a selinux problem running "setenforce 0" after reboot should help at least for now. I'll try to narrow it down tomorrow. thanks for the warning but too late :-) I did not have this issue on my laptop which had a fresh install, and so far I also do not see it on the freshly installed desktop machine. I've tracked a cause for this bug in my system's case. The problem wasn't SELinux related though. It was a corrupted /var/log/btmp file. Yesterday I've logged in to my computer using a password when prompted for login. It was saved in /var/log/secure and /var/log/btmp. So I've stopped rsyslogd and replaced my password in both files with a bunch of "_". But I think I've made a mistake and have written one less "_" than a number of characters in my password. So: Version-Release number of selected component (if applicable): util-linux-2.22.1-2.4.fc18.x86_64 Steps to Reproduce: 1. echo -n > /var/log/btmp 2. ssh foobar@localhost 3. [Ctrl-C at password prompt] 4. sed -i s/foobar/fooba/ /var/log/btmp 5. ssh root@localhost 6. [Enter root password at password prompt] Actual results: Last login: Thu Feb 7 16:09:00 2013 Connection to localhost closed. Expected results: Last login: Thu Feb 7 16:09:00 2013 root@localhost# Additional info: It's probably util-linux bug, no openssh. It's pretty serious, as it can prevent root login at all both from ssh and from console when one, unimportant file is slightly corrupted. There is even not a slightest indicator what's a problem - if I haven't remembered that I've messed with btmp, I'd have a system that I could not login to and no clue what did go wrong. I'd have to reinstall this system. I am able to reproduce the issue with these packages: openssh-6.1p1-4.fc18.x86_64 pam-1.1.6-3.fc18.1.x86_64 util-linux-2.22.2-4.fc18.x86_64 The issue disappears if I comment out postlogin in /etc/pam.d/sshd. After discussion with Petr this seems as PAM issue. Reassigning. Miroslav, what do you have in /etc/pam.d/postlogin? Do you see anything in /var/log/secure? pam-1.1.6-4.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/pam-1.1.6-4.fc18 pam-1.1.6-12.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/pam-1.1.6-12.fc19 Package pam-1.1.6-12.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing pam-1.1.6-12.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-12889/pam-1.1.6-12.fc19 then log in and leave karma (feedback). pam-1.1.6-12.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. pam-1.1.6-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |