1813388 – SELinux is preventing SSHD from authenticating user using pub key

Bug 1813388 - SELinux is preventing SSHD from authenticating user using pub key

Summary: SELinux is preventing SSHD from authenticating user using pub key

Keywords:
Status:	CLOSED DUPLICATE of bug 1813023
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-13 16:43 UTC by Tristan Cacqueray
Modified:	2020-03-13 16:55 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-13 16:55:01 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tristan Cacqueray 2020-03-13 16:43:36 UTC

Description of problem: When trying to ssh it fails with:
ssh -i /var/lib/zuul/.ssh/id_rsa zuul-worker@host
packet_write_wait: Connection to host port 22: Broken pipe

Version-Release number of selected component (if applicable):
This is happening with a rawhide cloud image that is updated periodically.

How reproducible:
Using Fedora-Cloud-Base-Rawhide-20200313.n.0.x86_64.qcow2


Steps to Reproduce:
1. Create an user
2. Add public key
3. Try to ssh

Actual results:
ssh fail with 'Broken pipe'

Expected results:
ssh works

Additional info:
In audit.log there is:
```
type=CRYPTO_KEY_USER msg=audit(1584116606.362:316): pid=860 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=negotiate kind=auth-key fp=SHA256:e6:68:59:06:36:dc:c6:2b:64:90:e5:10:5c:88:d2:0f:7a:83:ef:d6:93:8c:d7:a5:ee:63:36:76:41:c0:dd:b1 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1584116606.384:317): pid=860 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix acct="zuul-worker" exe="/usr/sbin/sshd" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=success'UID="root" AUID="unset"
type=CRYPTO_KEY_USER msg=audit(1584116606.392:318): pid=860 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=861 suid=74 rport=59236 laddr=127.0.0.1 lport=22  exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'UID="root" AUID="unset" SUID="sshd"
type=CRED_ACQ msg=audit(1584116606.399:319): pid=860 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="zuul-worker" exe="/usr/sbin/sshd" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=success'UID="root" AUID="unset"
type=LOGIN msg=audit(1584116606.403:320): pid=860 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=8 res=1UID="root" OLD-AUID="unset" AUID="zuul-worker"
type=AVC msg=audit(1584116606.405:321): avc:  denied  { create } for  pid=860 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=0
type=ANOM_ABEND msg=audit(1584116606.406:322): auid=1000 uid=0 gid=0 ses=8 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 pid=860 comm="sshd" exe="/usr/sbin/sshd" sig=6 res=1AUID="zuul-worker" UID="root" GID="root"
```

Comment 1 Petr Lautrbach 2020-03-13 16:55:01 UTC

Please update selinux-policy to selinux-policy-3.14.6-8.fc33 - https://koji.fedoraproject.org/koji/buildinfo?buildID=1477233

*** This bug has been marked as a duplicate of bug 1813023 ***

Note You need to log in before you can comment on or make changes to this bug.