[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#430838: openssh-server: Detection of SELinux enforcing mode is broken

Package: openssh-server
Version: 1:4.6p1-2
Severity: grave
Justification: causes non-serious data loss

I just upgraded to this version of openssh on a system with SELinux
enabled but in permissive mode.  Thank goodness I left an SSH session
open: connections after that succeeded at authentication, but were
immediately closed by the server.  The following log messages appeared:

Jun 27 09:56:07 teleri sshd[12293]: pam_selinux: Open Session
Jun 27 09:56:07 teleri sshd[12293]: Unable to get valid context for bts, No valid tty
Jun 27 09:56:07 teleri sshd[12293]: error: PAM: pam_open_session(): Authentication failure
Jun 27 09:56:07 teleri sshd[12293]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for bts
Jun 27 09:56:07 teleri sshd[12293]: fatal: ssh_selinux_getctxbyname: Failed to get default SELinux security context for bts (in enforcing mode)

The machine was actually in permissive mode, though it had been booted
in enforcing mode.  After I downgraded to the testing 4.3 package, I saw
messages that correctly acknowledged that the machine was in permissive
mode:

Jun 27 10:01:32 teleri sshd[12501]: error: Failed to get default security context for bts.Continuing in permissive mode
Jun 27 10:01:32 teleri sshd[12499]: error: Failed to get default security context for bts.Continuing in permissive mode

So it looks like sshd's check for enforcing mode is broken.  This
behavior persisted regardless of whether I had sshd set to use PAM, and
regardless of whether pam_selinux was enabled in /etc/pam.d/ssh

-Brian

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (300, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.21-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser  3.103                           Add and remove users and groups
ii  debconf  1.5.13                          Debian configuration management sy
ii  dpkg     1.14.4                          package maintenance system for Deb
ii  libc6    2.5-11                          GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2007.04.07+dfsg-2 common error description library
ii  libkrb53 1.6.dfsg.1-5                    MIT Kerberos runtime libraries
ii  libpam-m 0.79-4                          Pluggable Authentication Modules f
ii  libpam-r 0.79-4                          Runtime support for the PAM librar
ii  libpam0g 0.79-4                          Pluggable Authentication Modules l
ii  libselin 2.0.15-2                        SELinux shared libraries
ii  libssl0. 0.9.8e-5                        SSL shared libraries
ii  libwrap0 7.6.dbs-13                      Wietse Venema's TCP wrappers libra
ii  lsb-base 3.1-23.1                        Linux Standard Base 3.1 init scrip
ii  openssh- 1:4.6p1-2                       secure shell client, an rlogin/rsh
ii  zlib1g   1:1.2.3.3.dfsg-2                compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/insecure_rshd:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/disable_cr_auth: false
  ssh/encrypted_host_key_but_no_keygen:
Reply to: