Bug 427329 - Unable to login with password to sshd
Unable to login with password to sshd
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-01-03 01:10 EST by Jan ONDREJ
Modified: 2008-01-03 09:54 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-03 09:54:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan ONDREJ 2008-01-03 01:10:51 EST
Description of problem:
I am ubale to log in to my system using password (logging using ssh public key
is working). This message is in /var/log/secure:
Jan  3 06:54:46 work sshd[4235]: error: Could not get shadow information for MYLOGIN
Jan  3 06:54:46 work sshd[4235]: Failed password for MYLOGIN from
port 44933 ssh2

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. setenforce 1
2. log in to your system without pubkey usage
Actual results:
Permission denied (publickey,password,keyboard-interactive).

Expected results:
log in

Additional info:
After using of "semodule -DB" "audit2allow -l -a" shows:
  allow sshd_t shadow_t:file { read getattr };
but I am ubable to allow this:
  libsepol.check_assertion_helper: neverallow violated by allow sshd_t
shadow_t:file { read };
Comment 1 Daniel Walsh 2008-01-03 09:54:37 EST
Do you have sshd setup to not use pam?

sshd using pam does not need to read the shadow file directly,  It uses a helper
application to read the shadow file.

Allowing sshd to read the shadow file directly is considered a potential
security risk.

If you use the interface auth_read_shadow(sshd_t) instead of the allow rule, the
policy module should build and install.

Note You need to log in before you can comment on or make changes to this bug.