+++ This bug was initially created as a clone of Bug #228398 +++ Description of problem: I don't know if this belongs here or not. Let me know what you want me to do. I have found there is a limit to the number of categories that you ssh in with. i.e. the first example works, the second example with one more category does not. (I have update to the latest level of mctrans) [root/abat_r/SystemLow@KWUSER1 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost Could not create directory '/root/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 49:f5:9f:53:f1:aa:76:cf:59:dd:7a:6f:eb:b2:b9:e9. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/root/.ssh/known_hosts). Password: Last login: Tue Feb 13 15:17:46 2007 from kwuser1.endicott.ibm.com [testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@KWUSER1 ~]$ exit logout Connection to localhost closed. [root/abat_r/SystemLow@KWUSER1 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Could not create directory '/root/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 49:f5:9f:53:f1:aa:76:cf:59:dd:7a:6f:eb:b2:b9:e9. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/root/.ssh/known_hosts). Password: Last login: Tue Feb 13 15:18:02 2007 from kwuser1.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER1 framework]# -- Additional comment from linda.knippers on 2007-02-13 16:23 EST -- I've seen the error before: Could not create directory '/root/.ssh'. I think its because /root and its contents don't have the right context. If you do a 'restorecon -v -R /root' you might have better luck. -- Additional comment from linda.knippers on 2007-02-13 16:25 EST -- Actually, that doesn't explain the difference in behavior that you see but I think it explains some of the error messages. -- Additional comment from kylene.com on 2007-02-13 16:38 EST -- The issue isn't about the /root/.ssh. I am not able to login with many categories. Notice that the example where the category list goes up to 105 succeeds but the list that goes up to 107 fails. -- Additional comment from dwalsh on 2007-02-13 17:20 EST -- This seems wierd. Are you sure you sshd is running with the correct context. Why would a testuser be trying to update /root/.ssh? I have successfully logged in with ssh root/sysadm_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c108,c109,c110,c111,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c308,c309,c310,c311,c411,c413@xxy root/sysadm_r/s5:c1,c3,c5,c7,c@xxy's password: Last login: Tue Feb 13 17:04:36 2007 from dhcp-10-12-33-199.boston.devel.redhat.com [root@xxy ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107.c111,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307.c311,c411,c413 But it soon breaks after that. Of course this is an evil test. :^) -- Additional comment from kylene.com on 2007-02-13 17:46 EST -- Sorry to cause the confusion with the /root/.ssh it was just a label problem. For our tests we ssh in as a user and the /bin/su - to root and run our frameworks from there. I have retested on another machine just to make sure I am not crazy. This is on an s390x installed today with the latest RC, kickstart and lspp rpm along with updating all the packages on dwalsh people page repo and the kernel to lspp.64. Here are the results I get (I can't test as root do to the lspp config): [root/abat_r/SystemLow@KWUSER3 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c108,c109,c110,c111,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c308,c309,c310,c311,c411,c413@localhost Password: Last login: Tue Feb 13 16:25:39 2007 from kwuser2.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Password: Last login: Tue Feb 13 16:40:41 2007 from kwuser2.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost Password: Last login: Tue Feb 13 16:41:09 2007 from kwuser2.endicott.ibm.com [testuser/user_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@KWUSER3 ~]$ exit logout Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost Password: Last login: Tue Feb 13 16:28:02 2007 from sig-9-76-206-16.mts.ibm.com [ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@KWUSER3 ~]$ exit logout Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Password: Last login: Tue Feb 13 16:41:45 2007 from kwuser2.endicott.ibm.com Connection to localhost closed. [root/abat_r/SystemLow@KWUSER3 framework]# You call the test case evil but the original testcase was trying to specify all the odd categories up to 1023. This was simply pairing down to where the failure point is. -- Additional comment from dwalsh on 2007-02-14 09:36 EST -- The question is whether the test case is realistic. IE We can go in and try to figure out what the problem is. or is the size of this enough to get I have run some tests on mcstrans and libselinux and it seems to handle much larger data than this, so I think this might be a openssh problem. -- Additional comment from dwalsh on 2007-02-14 09:38 EST -- Basically running a test with 1024 categories works with the latest mcstrans. -- Additional comment from kylene.com on 2007-02-14 14:21 EST -- I tried the ssh on another platform (ppc64) to get another data point. I had the same results as the s390x. [ealuser/staff_r/SystemLow@hvracer3 ~]$ ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 2f:7d:54:30:69:db:d1:5b:8f:68:a4:56:05:73:dd:c0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. Password: Last login: Wed Feb 14 13:14:52 2007 from sig-9-65-34-127.mts.ibm.com [ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105@hvracer3 ~]$ exit logout Connection to localhost closed. [ealuser/staff_r/SystemLow@hvracer3 ~]$ ssh ealuser/staff_r/s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107@localhost Password: Last login: Wed Feb 14 13:17:02 2007 from localhost.localdomain Connection to localhost closed. -- Additional comment from klausk.com on 2007-02-15 13:18 EST -- the problem is the filesystem's filename size limit (polyinstantiation attacks again). With the above testcase, check /var/log/secure: Feb 15 09:12:30 zaphod sshd[2160]: pam_namespace(sshd:session): Error creating /home/home.inst/staff_u:object_r:staff_home_dir_t:s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c109,c111_ealuser, File name too long If I use a user which is not polyinst (add it to /etc/security/namespace.conf), I can successfully log-in with: [root@zaphod framework]# ssh abat//s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c109,c111,c113,c115,c117,c119,c121,c123,c125,c127,c129,c131,c133,c135,c137,c139,c141,c143,c145,c147,c149,c151,c153,c155,c157,c159,c161,c163,c165,c167,c169,c171,c173,c175,c177,c179,c181,c183,c185,c187,c189,c191,c193,c195,c197,c199,c201,c203,c205,c207,c209,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c309,c311,c313,c315,c317,c319,c321,c323,c325,c327,c329,c331,c333,c335,c337,c339,c341,c343,c345,c347,c349,c351,c353,c355,c357,c359,c361,c363,c365,c367,c369,c371,c373,c375,c377,c379,c381,c383,c385,c387,c389,c391,c393,c395,c397,c399,c401,c403,c405,c407,c409,c411,c413,c415,c417,c419,c421,c423,c425,c427,c429,c431,c433,c435,c437,c439,c441,c443,c445,c447,c449,c451,c453,c455,c457,c459,c461,c463,c465,c467,c469,c471,c473,c475,c477,c479,c481,c483,c485,c487,c489,c491,c493,c495,c497,c499,c501,c503,c505,c507,c509,c511,c513,c515,c517,c519,c521,c523,c525,c527,c529,c531,c533,c535,c537,c539,c541,c543,c545,c547,c549,c551,c553,c555,c557,c559,c561,c563,c565,c567,c569,c571,c573,c575,c577,c579,c581,c583,c585,c587,c589,c591,c593,c595,c597,c599,c601,c603,c605,c607,c609,c611,c613,c615,c617,c619,c621,c623,c625,c627,c629,c631,c633,c635,c637,c639,c641,c643,c645,c647,c649,c651,c653,c655,c657,c659,c661,c663,c665,c667,c669,c671,c673,c675,c677,c679,c681,c683,c685,c687,c689,c691,c693,c695,c697,c699,c701,c703,c705,c707,c709,c711,c713,c715,c717,c719,c721,c723,c725,c727,c729,c731,c733,c735,c737,c739,c741,c743,c745,c747,c749,c751,c753,c755,c757,c759,c761,c763,c765,c767,c769,c771,c773,c775,c777,c779,c781,c783,c785,c787,c789,c791,c793,c795,c797,c799,c801,c803,c805,c807,c809,c811,c813,c815,c817,c819,c821,c823,c825,c827,c829,c831,c833,c835,c837,c839,c841,c843,c845,c847,c849,c851,c853,c855,c857,c859,c861,c863,c865,c867,c869,c871,c873,c875,c877,c879,c881,c883,c885,c887,c889,c891,c893,c895,c897,c899,c901,c903,c905,c907,c909,c911,c913,c915,c917,c919,c921,c923,c925,c927,c929,c931,c933,c935,c937,c939,c941,c943,c945,c947,c949,c951,c953,c955,c957,c959,c961,c963,c965,c967,c969,c971,c973,c975,c977,c979,c981,c983,c985,c987,c989,c991,c993,c995,c997,c999,c1001,c1003,c1005,c1007,c1009,c1011,c1013,c1015,c1017,c1019,c1021,c1023@localhost Password: Last login: Thu Feb 15 10:04:22 2007 from localhost.localdomain [abat@zaphod ~]$ id uid=502(abat) gid=502(abat) groups=10(wheel),502(abat) context=abat_u:abat_r:abat_t:s5:c1,c3,c5,c7,c9,c11,c13,c15,c17,c19,c21,c23,c25,c27,c29,c31,c33,c35,c37,c39,c41,c43,c45,c47,c49,c51,c53,c55,c57,c59,c61,c63,c65,c67,c69,c71,c73,c75,c77,c79,c81,c83,c85,c87,c89,c91,c93,c95,c97,c99,c101,c103,c105,c107,c109,c111,c113,c115,c117,c119,c121,c123,c125,c127,c129,c131,c133,c135,c137,c139,c141,c143,c145,c147,c149,c151,c153,c155,c157,c159,c161,c163,c165,c167,c169,c171,c173,c175,c177,c179,c181,c183,c185,c187,c189,c191,c193,c195,c197,c199,c201,c203,c205,c207,c209,c211,c213,c215,c217,c219,c221,c223,c225,c227,c229,c231,c233,c235,c237,c239,c241,c243,c245,c247,c249,c251,c253,c255,c257,c259,c261,c263,c265,c267,c269,c271,c273,c275,c277,c279,c281,c283,c285,c287,c289,c291,c293,c295,c297,c299,c301,c303,c305,c307,c309,c311,c313,c315,c317,c319,c321,c323,c325,c327,c329,c331,c333,c335,c337,c339,c341,c343,c345,c347,c349,c351,c353,c355,c357,c359,c361,c363,c365,c367,c369,c371,c373,c375,c377,c379,c381,c383,c385,c387,c389,c391,c393,c395,c397,c399,c401,c403,c405,c407,c409,c411,c413,c415,c417,c419,c421,c423,c425,c427,c429,c431,c433,c435,c437,c439,c441,c443,c445,c447,c449,c451,c453,c455,c457,c459,c461,c463,c465,c467,c469,c471,c473,c475,c477,c479,c481,c483,c485,c487,c489,c491,c493,c495,c497,c499,c501,c503,c505,c507,c509,c511,c513,c515,c517,c519,c521,c523,c525,c527,c529,c531,c533,c535,c537,c539,c541,c543,c545,c547,c549,c551,c553,c555,c557,c559,c561,c563,c565,c567,c569,c571,c573,c575,c577,c579,c581,c583,c585,c587,c589,c591,c593,c595,c597,c599,c601,c603,c605,c607,c609,c611,c613,c615,c617,c619,c621,c623,c625,c627,c629,c631,c633,c635,c637,c639,c641,c643,c645,c647,c649,c651,c653,c655,c657,c659,c661,c663,c665,c667,c669,c671,c673,c675,c677,c679,c681,c683,c685,c687,c689,c691,c693,c695,c697,c699,c701,c703,c705,c707,c709,c711,c713,c715,c717,c719,c721,c723,c725,c727,c729,c731,c733,c735,c737,c739,c741,c743,c745,c747,c749,c751,c753,c755,c757,c759,c761,c763,c765,c767,c769,c771,c773,c775,c777,c779,c781,c783,c785,c787,c789,c791,c793,c795,c797,c799,c801,c803,c805,c807,c809,c811,c813,c815,c817,c819,c821,c823,c825,c827,c829,c831,c833,c835,c837,c839,c841,c843,c845,c847,c849,c851,c853,c855,c857,c859,c861,c863,c865,c867,c869,c871,c873,c875,c877,c879,c881,c883,c885,c887,c889,c891,c893,c895,c897,c899,c901,c903,c905,c907,c909,c911,c913,c915,c917,c919,c921,c923,c925,c927,c929,c931,c933,c935,c937,c939,c941,c943,c945,c947,c949,c951,c953,c955,c957,c959,c961,c963,c965,c967,c969,c971,c973,c975,c977,c979,c981,c983,c985,c987,c989,c991,c993,c995,c997,c999,c1001,c1003,c1005,c1007,c1009,c1011,c1013,c1015,c1017,c1019,c1021,c1023 [abat@zaphod ~]$ -- Additional comment from sgrubb on 2007-02-15 13:47 EST -- What needs to happen is that both pam and sshd need to check if the basename of the file/dir is < NAME_MAX from limits.h and that the whole path is < PATH_MAX. It could possibly change to a hashed name if this limit is violated. I think the original namespace patch used hashes but this was dropped for readibility. So, maybe we should have readability until we hit the NAME_MAX limit and then switch to cryptic dir names.
Here is my idea how to correct this and also resolve https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227345. We will define some arbitrary limit on the directory name. I propose 80 characters as I don't think full context is too useful in case it is much larger than what fits on the screen with ls output. And we will replace the rest of the context name with hash value of the whole context. We will also replace all non-alphanumeric characters which are not ':.,-' with '_' and if this translation happens we will also append the hash value of the untranslated context to guard against any ambiguities in the translated context names.
Please ignore the second part (about non-alphanumeric characters in names) as it was already decided to use raw context names which cannot contain characters unsuitable for filenames.
Fixed in pam-0.99.6.2-17.el5 in dist-5E-lspp
This is slated for inclusion in 5.1
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0555.html