Bug#430838: marked as done (openssh-server: Detection of SELinux enforcing mode is broken)
Your message dated Fri, 29 Jun 2007 09:17:04 +0000
with message-id <E1I4CbA-0003XZ-Ml@ries.debian.org>
and subject line Bug#430838: fixed in openssh 1:4.6p1-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: openssh-server
Version: 1:4.6p1-2
Severity: grave
Justification: causes non-serious data loss
I just upgraded to this version of openssh on a system with SELinux
enabled but in permissive mode. Thank goodness I left an SSH session
open: connections after that succeeded at authentication, but were
immediately closed by the server. The following log messages appeared:
Jun 27 09:56:07 teleri sshd[12293]: pam_selinux: Open Session
Jun 27 09:56:07 teleri sshd[12293]: Unable to get valid context for bts, No valid tty
Jun 27 09:56:07 teleri sshd[12293]: error: PAM: pam_open_session(): Authentication failure
Jun 27 09:56:07 teleri sshd[12293]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for bts
Jun 27 09:56:07 teleri sshd[12293]: fatal: ssh_selinux_getctxbyname: Failed to get default SELinux security context for bts (in enforcing mode)
The machine was actually in permissive mode, though it had been booted
in enforcing mode. After I downgraded to the testing 4.3 package, I saw
messages that correctly acknowledged that the machine was in permissive
mode:
Jun 27 10:01:32 teleri sshd[12501]: error: Failed to get default security context for bts.Continuing in permissive mode
Jun 27 10:01:32 teleri sshd[12499]: error: Failed to get default security context for bts.Continuing in permissive mode
So it looks like sshd's check for enforcing mode is broken. This
behavior persisted regardless of whether I had sshd set to use PAM, and
regardless of whether pam_selinux was enabled in /etc/pam.d/ssh
-Brian
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.21-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-server depends on:
ii adduser 3.103 Add and remove users and groups
ii debconf 1.5.13 Debian configuration management sy
ii dpkg 1.14.4 package maintenance system for Deb
ii libc6 2.5-11 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2007.04.07+dfsg-2 common error description library
ii libkrb53 1.6.dfsg.1-5 MIT Kerberos runtime libraries
ii libpam-m 0.79-4 Pluggable Authentication Modules f
ii libpam-r 0.79-4 Runtime support for the PAM librar
ii libpam0g 0.79-4 Pluggable Authentication Modules l
ii libselin 2.0.15-2 SELinux shared libraries
ii libssl0. 0.9.8e-5 SSL shared libraries
ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip
ii openssh- 1:4.6p1-2 secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3.3.dfsg-2 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
ssh/insecure_rshd:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/disable_cr_auth: false
ssh/encrypted_host_key_but_no_keygen:
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:4.6p1-3
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_4.6p1-3_powerpc.udeb
to pool/main/o/openssh/openssh-client-udeb_4.6p1-3_powerpc.udeb
openssh-client_4.6p1-3_powerpc.deb
to pool/main/o/openssh/openssh-client_4.6p1-3_powerpc.deb
openssh-server-udeb_4.6p1-3_powerpc.udeb
to pool/main/o/openssh/openssh-server-udeb_4.6p1-3_powerpc.udeb
openssh-server_4.6p1-3_powerpc.deb
to pool/main/o/openssh/openssh-server_4.6p1-3_powerpc.deb
openssh_4.6p1-3.diff.gz
to pool/main/o/openssh/openssh_4.6p1-3.diff.gz
openssh_4.6p1-3.dsc
to pool/main/o/openssh/openssh_4.6p1-3.dsc
ssh-askpass-gnome_4.6p1-3_powerpc.deb
to pool/main/o/openssh/ssh-askpass-gnome_4.6p1-3_powerpc.deb
ssh-krb5_4.6p1-3_all.deb
to pool/main/o/openssh/ssh-krb5_4.6p1-3_all.deb
ssh_4.6p1-3_all.deb
to pool/main/o/openssh/ssh_4.6p1-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 430838@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 29 Jun 2007 07:15:38 +0100
Source: openssh
Binary: ssh-askpass-gnome ssh-krb5 openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.6p1-3
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell client, an rlogin/rsh/rcp replacement
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell server, an rshd replacement
openssh-server-udeb - secure shell server for the Debian installer (udeb)
ssh - secure shell client and server (transitional package)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 430154 430455 430838
Changes:
openssh (1:4.6p1-3) unstable; urgency=low
.
* Only build PIE executables on Linux and NetBSD (closes: #430455).
* Fix broken switch fallthrough when SELinux is running in permissive mode
(closes: #430838).
* Document that HashKnownHosts may break tab-completion (closes: #430154).
Files:
89579c12dd0cafe2398e959ce1f483d4 1062 net standard openssh_4.6p1-3.dsc
d3d0e13e8471c0c769ecf56ea1c45993 180913 net standard openssh_4.6p1-3.diff.gz
67169270ef625d0fbb2a0baa1ad06e08 1062 net extra ssh_4.6p1-3_all.deb
6386c4fc7c912b093843ba742e7c9b7b 79490 net extra ssh-krb5_4.6p1-3_all.deb
bc63211575a73ef596cdc90e7f0a23bb 711314 net standard openssh-client_4.6p1-3_powerpc.deb
a84a419e6d210e0af1b17fdd384df72c 266788 net optional openssh-server_4.6p1-3_powerpc.deb
694a298c7f15d5d79b55ae0ad43351ce 89962 gnome optional ssh-askpass-gnome_4.6p1-3_powerpc.deb
a8f04a7000708f5857e68db9be87a2d0 177602 debian-installer optional openssh-client-udeb_4.6p1-3_powerpc.udeb
c68321f32963fcfa509b199474ca978c 184620 debian-installer optional openssh-server-udeb_4.6p1-3_powerpc.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGhMqd9t0zAhD6TNERAuJBAJ0cUmr2CWGFLWzcLeGBrrz28C0nigCeK0MC
H5lh0LCuW++YYb0i5NA9yL8=
=rHHr
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: