Bug 378941 - selinux blocks incoming ssh with Kerberos password supplied
selinux blocks incoming ssh with Kerberos password supplied
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
i386 Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-12 17:17 EST by Danny Padwa
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-16 09:07:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Danny Padwa 2007-11-12 17:17:33 EST
Description of problem:
Incoming ssh connections fail if they supply a Kerberos password.   Works fine
if it uses ssh keys or local passwords.   /var/log/messages shows that ssh
segfaulted and blames selinux

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-47.fc8
selinux-policy-targeted-3.0.8-47.fc8
openssh-server-4.7p1-2.fc8


How reproducible:
Very

Steps to Reproduce:
1.  Set up local user with both Kerberos and local passwords (distinct)
2.  ssh in without a client credential - provide local pw, everything works
3.  ssh in without a client credential - provide kerberos pw, things break
  
Actual results:
Nov 12 17:06:14 padwad-fc8v0 kernel: sshd[6909]: segfault at ffffffff eip
004fd3be esp bf905bf8 error 6
Nov 12 17:06:16 padwad-fc8v0 setroubleshoot: #012    SELinux is preventing
/usr/sbin/sshd (sshd_t) "read write" to /SYSV00000000 (deleted) (tmpfs_t).#012 
   For complete SELinux messages. run sealert -l
589f169e-fd37-4262-a980-af208051c28d
Nov 12 17:06:56 padwad-fc8v0 kernel: sshd[7214]: segfault at ffffffff eip
004fd3be esp bfa55548 error 6
Nov 12 17:06:58 padwad-fc8v0 setroubleshoot: #012    SELinux is preventing
/usr/sbin/sshd (sshd_t) "read write" to /SYSV00000000 (deleted) (tmpfs_t).#012 
   For complete SELinux messages. run sealert -l
589f169e-fd37-4262-a980-af208051c28d


Expected results:
Things should work

Additional info:
There are two problems here:
- selinux should have a proper policy for sshd
- sshd should not segv in the face of selinux rejections
Comment 1 Danny Padwa 2007-11-12 17:18:57 EST
I can give you fuller debug logs if needed.
Comment 2 Danny Padwa 2007-11-12 17:29:18 EST
Looks like this is the local kerberos credential cache that is getting created 
inside of the Kerberos library.  sshd needs to be able to write a file in /tmp 
for kerberos purposes - if selinux is blocking that, it would be a Bad Thing.
Comment 3 Daniel Walsh 2007-11-12 17:49:26 EST
Fixed in selinux-policy-3.0.8-53.fc8
Comment 4 Kostas Georgiou 2007-11-15 20:18:37 EST
I just tested with selinux-policy-3.0.8-56.fc8 and sshd works now.

Note You need to log in before you can comment on or make changes to this bug.