FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-04-2010, 02:18 PM
"James B. Byrne"
 
Default OpenSSH-5.3p1 selinux problem on CentOS-5.4.

On Thu, February 4, 2010 10:08, Marc Wiatrowski wrote:
>
>>
>>
> Have you looked at using rssh as the users shell? You can limit the
> user to a chroot sftp only. Its not stock, but ssh can then be.
>
> http://dag.wieers.com/rpm/packages/rssh/
>

I looked at rssh briefly yesterday when someone suggested it. Had I
known of it before we started down this road then we might have used
it instead. However, at the moment we seem to have a working
solution and so we will stick with that for now.

I am not sure what effect disabling SELinux support in SSH actually
has from a security standpoint. So, if anyone cares to enlighten me
on the the consequences I would like to know.

Regards,


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 04:00 PM
Ned Slider
 
Default OpenSSH-5.3p1 selinux problem on CentOS-5.4.

James B. Byrne wrote:

<snip>

>
> I am not sure what effect disabling SELinux support in SSH actually
> has from a security standpoint. So, if anyone cares to enlighten me
> on the the consequences I would like to know.
>


I was under the impression that sshd runs unconfined in the current CentOS?

$ ps axZ | grep sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh 2766 ? Ss 0:00
/usr/sbin/sshd

For example, you don't need to change the ssh_port in SELinux when
running the sshd on an alternative port, I assume because sshd is
running unconfined.

Also, it makes little sense to me to run sshd in a confined domain as an
ssh login will give the user a login (bash) shell, which also runs
unconfined:

$ ps axZ | grep bash
user_u:system_r:unconfined_t 8504 pts/3 Ss 0:00 /bin/bash
user_u:system_r:unconfined_t 16789 pts/4 Ss 0:00 /bin/bash

Or maybe I totally misunderstand?

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 04:42 PM
"James B. Byrne"
 
Default OpenSSH-5.3p1 selinux problem on CentOS-5.4.

On Thu, February 4, 2010 12:00, Ned Slider wrote:
>
>
> I was under the impression that sshd runs unconfined in the current
> CentOS?
>
> $ ps axZ | grep sshd
> system_u:system_r:unconfined_t:SystemLow-SystemHigh 2766 ? Ss 0:00
> /usr/sbin/sshd
>
> For example, you don't need to change the ssh_port in SELinux when
> running the sshd on an alternative port, I assume because sshd is
> running unconfined.
>
> Also, it makes little sense to me to run sshd in a confined domain
> as an ssh login will give the user a login (bash) shell, which also
> runs unconfined:
>
> $ ps axZ | grep bash
> user_u:system_r:unconfined_t 8504 pts/3 Ss 0:00 /bin/bash
> user_u:system_r:unconfined_t 16789 pts/4 Ss 0:00 /bin/bash
>
> Or maybe I totally misunderstand?
>
>

Interesting. The OpenSSH-5.3p1 sshd that I built without selinux
enabled runs in this domain:

# ps axZ | grep sshd
user_u:system_r:initrc_t 1981 ? Ss 0:00
/opt/sbin/sshd


Whereas the CentOS-5.4 OpenSSH sshd runs like this:
# ps axZ | grep ssh
system_u:system_r:unconfined_t:SystemLow-SystemHigh 2681 ? Ss 0:00
/usr/sbin/sshd


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 04:58 PM
"James B. Byrne"
 
Default OpenSSH-5.3p1 selinux problem on CentOS-5.4.

On Thu, February 4, 2010 05:28, Radu Radutiu wrote:
> Just for the reference if you want to keep SELINUX enabled and
> create a new instance of sshd (with the stock CentOS 5.4 sshd)
> with sftp only you can do the following:
>
> -create a copy of /etc/ssh/sshd_config e.g.
> cp /etc/ssh/sshd_config /etc/ssh/sftpd_config
>
> -chage /add the following lines in sftpd_config
> Port 1234
> ChrootDirectory %h
> Subsystem sftp internal-sftp
> AllowUsers externaluser
>
>
> -let SELINUX know that port 1234 (or whatever you put in your
> sftpd_config) is of type ssh_port_t
>
> semanage port -a -t ssh_port_t -p tcp -n 1234
>
> -make sure that the sftp user's home directory respects the
> requirements of ChrootDirectory sshd_config directive : This path,
> and all its components, must be root-owned directories that are not
> writable by any other user or group. For file transfer sessions
> using
> ‚??sftp‚??, no additional configuration of the environment is
> necessary if
> the in-process sftp server is used
> chown root /home/externaluser
> chmod g-w /home/externaluser
>
> -create a directory in which externaluser will be able to write
> mkdir /home/externaluser/upload
> chown externaluser /home/externaluser/upload
>
> - create a copy of /etc/init.d/sshd init script
> cp /etc/init.d/sshd /etc/init.d/sftpd
> - modify it to reflect the sftpd_config config file and a new pid
> file
> - make it start automatically
> chkconfig sftpd --add sftp
>
> Radu
>
>

Thank you for that. I did much the same as you suggest but, in the
end, decided to just run the 5.3 sshd instead. I have set SELinix
to enforcing on that host and sshd seems to work as expected. I
cannot tell what the --with-selinux compiler switch is meant to do.

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org