Description of problem: From the default sshd_config, make the following changes: -- Port 1122 -- ListenAddress 192.168.1.0/24 -- PermitRootLogin yes -- LoginGraceTime 1m -- MaxAuthRetries 4 Update SELinux and add the non-standard port -- semanage port -a -t ssh_port_t -p tcp 1122 [root@host sepolicies]# semanage port -l |grep ssh ssh_port_t tcp 1122, 22 EXCERPT FROM SSHD_CONFIG: Port 1122 #AddressFamily any #ListenAddress 0.0.0.0 ListenAddress 192.168.1.0/24 #ListenAddress :: # Authentication: LoginGraceTime 1m PermitRootLogin yes #StrictModes yes MaxAuthTries 4 #MaxSessions 10 SELinux is preventing /usr/sbin/sshd from 'name_bind' accesses on the tcp_socket . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sshd should be allowed name_bind access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sshd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:lmtp_port_t:s0 Target Objects [ tcp_socket ] Source sshd Source Path /usr/sbin/sshd Port 24 Host (removed) Source RPM Packages openssh-server-6.4p1-5.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-179.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.15.7-200.fc20.x86_64 #1 SMP Mon Jul 28 18:50:26 UTC 2014 x86_64 x86_64 Alert Count 54 First Seen 2014-08-17 01:44:06 CDT Last Seen 2014-08-17 02:28:47 CDT Local ID c2b0b24b-f0da-4a06-9d53-b321ff5cc9a6 Raw Audit Messages type=AVC msg=audit(1408260527.366:1093): avc: denied { name_bind } for pid=13505 comm="sshd" src=24 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1408260527.366:1093): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7f1a6a2ce300 a2=10 a3=7fff1e54ee50 items=0 ppid=1 pid=13505 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Hash: sshd,sshd_t,lmtp_port_t,tcp_socket,name_bind Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.15.7-200.fc20.x86_64 type: libreport
To be sure what does # grep "Port" /etc/ssh/sshd_config
(In reply to Miroslav Grepl from comment #1) > To be sure what does > > # grep "Port" /etc/ssh/sshd_config [tkrupins@caprica ~]$ sudo grep "Port" /etc/ssh/sshd_config [sudo] password for tkrupins: Port 1122 #GatewayPorts no [tkrupins@caprica ~]$
Does the AVC relate with this change? It talks about "src=24".
-- ListenAddress 192.168.1.0/24 Looks like this is overriding the port?
You can't use a network address in ListenAddress, you have to use ip addresses you use on your system. If you want to filter connections based on network addresses use either 'Match Address ...' directive or a firewall. However, it's a bug in openssh code. It should inform an user that there's used a wrong format.
Yes, I realize it was a mistake on my part when attempting to configure the settings. However, I agree with your analysis that about informing the user about invalid syntax.
Created attachment 978099 [details] Make config parser more strict to ip:port values This problem is also in upstream of openssh and there is for some reason parser which accept both 1.2.3.4:22 and 1.2.3.0/24 as ip and port. I browsed through the man pages and there is mentioned only the first format so I think we can drop this unwanted functionality, because 1.2.3.0/24 is common format for mask and not for ip:port. This behaviour can be fixed with appended patch.
Created attachment 979037 [details] dist git patch
openssh-6.6.1p1-11.1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/openssh-6.6.1p1-11.1.fc21
openssh-6.4p1-8.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/openssh-6.4p1-8.fc20
Package openssh-6.4p1-8.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-6.4p1-8.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-0756/openssh-6.4p1-8.fc20 then log in and leave karma (feedback).
openssh-6.6.1p1-11.1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
openssh-6.4p1-8.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.