To speed up connexion, I am using ssh connexion multiplexing. However, after setting it up, i doscvered that selinux block that : type=AVC msg=audit(1374595077.699:4935): avc: denied { create } for pid=5793 comm="ssh" name="misc.example.com:22.wFfLJBMez5wphcDh" scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file My settings are ( in ~/.ssh/config ) : Host git.corp.example.com gitolite.corp.example.com ControlMaster auto ControlPath /home/misc/tmp/%r@%h:%p $ ls -lZd ~/tmp/ drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 /home/misc/tmp/
So in fact, there is 3 operations, as seen by running in permissive mode : type=AVC msg=audit(1374604682.020:5133): avc: denied { create } for pid=13572 comm="ssh" name="misc.example.com:22.sWlPsweTDbYJoss6" scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file type=AVC msg=audit(1374604682.020:5134): avc: denied { link } for pid=13572 comm="ssh" name="misc.example.com:22.sWlPsweTDbYJoss6" dev="dm-3" ino=3422336 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file type=AVC msg=audit(1374604682.020:5135): avc: denied { unlink } for pid=13572 comm="ssh" name="misc.example.com:22.sWlPsweTDbYJoss6" dev="dm-3" ino=3422336 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file
What is the default value for ControlPath?
Seems like we should have a transition for this, although it would be nice if the socket was put into a subdir like .cache/ssh/ Or /run/user/UID/ssh
e506a4253b8b80ec6e0e59d5e3be4709aeba45ef fixes this in git.
There is no default for Controlpath. And I would indeed recommend to place the controlSocket in a protected directory, since it can be used to connect to a remote server without password ( in fact, that's quite tricky because using controlpath even put no log on remote server )
As stated, there's no default value for ControlPath and ssh won't prepare a multiplexing if ControlPath is not set. So it's up to an user to set and place the control socket to the right place. Also the control socekt is created using umask(0177) so it should be accesibble only to the owner.
Is this a case where we should give an example location like ~/.ssh/ControlSocket.
home directory is a bad choice because it is usually on NFS shares and '~/.ssh/%r@%h:%p' will cause conflicts when running ssh on different hosts. You might add the local hostname %l to avoid this conflict but this can make the resulting path name too long. A place below $XDG_RUNTIME_DIR would be an excellent place but unfortunately, ControlPath does not expand shell variables and the uid must be hardcoded.
We have rules for HOMEDIR. Petr, should we make a note in sshd_config how Dan wrote?
So what dir should the control socket go into so that it does not run afoul of selinux?