Red Hat Bugzilla – Bug 841693
SSHD Cannot authenticate YubiKey (SELinux prevents name_connect)
Last modified: 2012-10-15 14:27:22 EDT
Description of problem:
SSHD cannot authenticate YubiKeys. When SSHD tries pam_yubico.so, it fails (seemingly) due to SELinux preveting name_connect socket connection. (I think SELinux has denied this particular action by SSHD before, however, so it must be new in pam_yubico that this action is required because it worked fine in F15/F16, perhaps earlier.)
Version-Release number of selected component (if applicable):
Always. I cannot find a configuration that works.
Steps to Reproduce:
1. Install pam_yubico.so
2. Configure /etc/pam.d/sshd
3. Try to login via ssh
Login fails, permission denied.
/var/log/messages: ... setroubleshoot: SELinux is preventing /usr/sbin/sshd from name_connect access on the tcp_socket . For complete SELinux messages....
Login should succeed according to PAM rules.
Is there anything I can do to assist here?
Can someone at least tell me if this is an SSHD problem or a pam_yubico problem?
Sorry for the late response. The problem you describe is not with sshd or with pam_yubico, but with SELinux denying sshd to connect to the Yubico authentication servers. sshd is not usually allowed to initiate network connections.
If you build this policy module, you get an SELinux boolean called ssh_can_network, that you can toggle to make things work again. You can download it from my fedorapeople site.
The .te file is the source code for the module, the .pp file is a compiled, loadable module that you can use directly.
I'll try to check with the SELinux people whether we can include this in the policy permanently, but that might take some time. The module I wrote is crude and overly simple, but it gets the job done for now.
No problem. You're policy looks like a great solution. Thank you for posting the module source. I'm using a nearly identical one, myself. I can understand if it takes some time to get this module added to the permanent policy; but I like the boolean option and I assume that makes it easier to get approved.
Please post here if there are objections to the policy as I am interested in what security holes may be opened by this solution.
This is fixed in Fedora's selinux-policy by this commit. This commit will create a 'authlogin_yubikey' boolean, that can be used to allow or disallow sshd_t (and several other types, like login_t) to name_connect to http_port_t.
Big thanks to Dan Walsh.
A new release of selinux-policy for Fedora 18 will be out soon. Fix expected in selinux-policy-3.11.1-33.fc18.noarch.
The boolean 'authlogin_yubikey' was added to the SELinux policy for Fedora 18. Flip it to 'on' to enjoy Yubikey logins.
I'm closing this bug now. Please reopen is problem reoccurs or persists.
This is great. I didn't expect this solution and I'm anxious to try it.
But, can't this be released for F17?
I'm afraid not: implementing the boolean was quite a significant change in the SELinux policy. Backporting this to the policy for F17 would be a lot of work. I don't think that is going to happen, especially since there is a viable workaround.
But then again, it's not up to me. I only co-maintain pam_yubico, not the SELinux policy :)
What's the workaround?
Is there another bug where I can comment to the policy maintainers? This bug was introduced by the F17 policy pkg, so it seems clear that pkg needs to be updated with this patch. This was working in F15 and F16.