Bug 841693 - SSHD Cannot authenticate YubiKey (SELinux prevents name_connect)
Summary: SSHD Cannot authenticate YubiKey (SELinux prevents name_connect)
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_yubico
Version: 17
Hardware: Unspecified
OS: Linux
Target Milestone: ---
Assignee: Maxim Burgerhout
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2012-07-19 21:37 UTC by Paul DeStefano
Modified: 2012-10-15 18:27 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-10-15 10:46:00 UTC
Type: Bug

Attachments (Terms of Use)

Description Paul DeStefano 2012-07-19 21:37:38 UTC
Description of problem:  
SSHD cannot authenticate YubiKeys.  When SSHD tries pam_yubico.so, it fails (seemingly) due to SELinux preveting name_connect socket connection.  (I think SELinux has denied this particular action by SSHD before, however, so it must be new in pam_yubico that this action is required because it worked fine in F15/F16, perhaps earlier.)

Version-Release number of selected component (if applicable):

How reproducible:
Always.  I cannot find a configuration that works.

Steps to Reproduce:
1.  Install pam_yubico.so
2.  Configure /etc/pam.d/sshd
3.  Try to login via ssh
Actual results:
Login fails, permission denied.

/var/log/messages: ... setroubleshoot: SELinux is preventing /usr/sbin/sshd from name_connect access on the tcp_socket . For complete SELinux messages....

Expected results:
Login should succeed according to PAM rules.

Additional info:

Comment 1 Paul DeStefano 2012-08-21 16:37:47 UTC
Is there anything I can do to assist here?

Comment 2 Paul DeStefano 2012-09-07 03:06:59 UTC
Can someone at least tell me if this is an SSHD problem or a pam_yubico problem?

Comment 3 Maxim Burgerhout 2012-09-07 08:18:43 UTC
Sorry for the late response. The problem you describe is not with sshd or with pam_yubico, but with SELinux denying sshd to connect to the Yubico authentication servers. sshd is not usually allowed to initiate network connections.

If you build this policy module, you get an SELinux boolean called ssh_can_network, that you can toggle to make things work again. You can download it from my fedorapeople site[1].

The .te file is the source code for the module, the .pp file is a compiled, loadable module that you can use directly.

I'll try to check with the SELinux people whether we can include this in the policy permanently, but that might take some time. The module I wrote is crude and overly simple, but it gets the job done for now.

[1] http://fedorapeople.org/~wzzrd/841693/

Comment 4 Paul DeStefano 2012-09-08 23:26:35 UTC
No problem.  You're policy looks like a great solution.  Thank you for posting the module source.  I'm using a nearly identical one, myself.  I can understand if it takes some time to get this module added to the permanent policy; but I like the boolean option and I assume that makes it easier to get approved.

Please post here if there are objections to the policy as I am interested in what security holes may be opened by this solution.

Comment 5 Maxim Burgerhout 2012-10-05 07:07:08 UTC
Status update

This is fixed in Fedora's selinux-policy by this commit[1]. This commit will create a 'authlogin_yubikey' boolean, that can be used to allow or disallow sshd_t (and several other types, like login_t) to name_connect to http_port_t.

Big thanks to Dan Walsh.

A new release of selinux-policy for Fedora 18 will be out soon. Fix expected in selinux-policy-3.11.1-33.fc18.noarch.

[1] http://git.fedorahosted.org/cgit/selinux-policy.git/patch/?id=944db72223a1d4137ad8470a4ded38441f97ac24

Comment 6 Maxim Burgerhout 2012-10-15 10:46:00 UTC
The boolean 'authlogin_yubikey' was added to the SELinux policy for Fedora 18. Flip it to 'on' to enjoy Yubikey logins. 

I'm closing this bug now. Please reopen is problem reoccurs or persists.

Comment 7 Paul DeStefano 2012-10-15 16:25:59 UTC
This is great.  I didn't expect this solution and I'm anxious to try it.

But, can't this be released for F17?

Comment 8 Maxim Burgerhout 2012-10-15 17:54:40 UTC
I'm afraid not: implementing the boolean was quite a significant change in the SELinux policy. Backporting this to the policy for F17 would be a lot of work. I don't think that is going to happen, especially since there is a viable workaround.

But then again, it's not up to me. I only co-maintain pam_yubico, not the SELinux policy :)

Comment 9 Paul DeStefano 2012-10-15 18:27:22 UTC
What's the workaround?

Is there another bug where I can comment to the policy maintainers?  This bug was introduced by the F17 policy pkg, so it seems clear that pkg needs to be updated with this patch.  This was working in F15 and F16.

Note You need to log in before you can comment on or make changes to this bug.