Bug#430838: openssh-server: Detection of SELinux enforcing mode is broken
Package: openssh-server
Version: 1:4.6p1-2
Severity: grave
Justification: causes non-serious data loss
I just upgraded to this version of openssh on a system with SELinux
enabled but in permissive mode. Thank goodness I left an SSH session
open: connections after that succeeded at authentication, but were
immediately closed by the server. The following log messages appeared:
Jun 27 09:56:07 teleri sshd[12293]: pam_selinux: Open Session
Jun 27 09:56:07 teleri sshd[12293]: Unable to get valid context for bts, No valid tty
Jun 27 09:56:07 teleri sshd[12293]: error: PAM: pam_open_session(): Authentication failure
Jun 27 09:56:07 teleri sshd[12293]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for bts
Jun 27 09:56:07 teleri sshd[12293]: fatal: ssh_selinux_getctxbyname: Failed to get default SELinux security context for bts (in enforcing mode)
The machine was actually in permissive mode, though it had been booted
in enforcing mode. After I downgraded to the testing 4.3 package, I saw
messages that correctly acknowledged that the machine was in permissive
mode:
Jun 27 10:01:32 teleri sshd[12501]: error: Failed to get default security context for bts.Continuing in permissive mode
Jun 27 10:01:32 teleri sshd[12499]: error: Failed to get default security context for bts.Continuing in permissive mode
So it looks like sshd's check for enforcing mode is broken. This
behavior persisted regardless of whether I had sshd set to use PAM, and
regardless of whether pam_selinux was enabled in /etc/pam.d/ssh
-Brian
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.21-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-server depends on:
ii adduser 3.103 Add and remove users and groups
ii debconf 1.5.13 Debian configuration management sy
ii dpkg 1.14.4 package maintenance system for Deb
ii libc6 2.5-11 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2007.04.07+dfsg-2 common error description library
ii libkrb53 1.6.dfsg.1-5 MIT Kerberos runtime libraries
ii libpam-m 0.79-4 Pluggable Authentication Modules f
ii libpam-r 0.79-4 Runtime support for the PAM librar
ii libpam0g 0.79-4 Pluggable Authentication Modules l
ii libselin 2.0.15-2 SELinux shared libraries
ii libssl0. 0.9.8e-5 SSL shared libraries
ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip
ii openssh- 1:4.6p1-2 secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3.3.dfsg-2 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
ssh/insecure_rshd:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/disable_cr_auth: false
ssh/encrypted_host_key_but_no_keygen:
Reply to: