James B. Byrne
2010-Feb-03 14:37 UTC
[CentOS] OpenSSH-5.3p1 selinux problem on CentOS-5.4.
Note: I am digest subscriber so if you could copy me directly on any reply to the list I would appreciate it very much. I sent this to the OpenSSH list (secureshell at securityfocus.com) yesterday and received no response so I am asking here in hopes that someone else has run across this problem on CentOS. We have encountered a situation that requires sftp access to one of our server by an outside agency. This will be used for a data push application only and we need to secure our server from trespass via this access. After a modest amount of research we decided that the best answer was to use a more recent version of OpenSSH (5.3p1)that supports chroot as a configurable option. I obtained the software from the openssh.org website and built it using the libedit packages from the CentOS testing repo. These were the option used: ./configure --prefix=/opt --with-libedit --with-md5-passwords --with-pam --with-selinux --with-tcp-wrappers The new server software works fine for regular ssh/sftp users. However, when logging on as a member of the chroot group we obtain this error: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed I have found reports of this exact error via Google in several places dating back to 2006, but these all seem to devolve into either: this has been fixed in version x.y.z on distribution Q, where x.y.z is less than 5.3 and Q is not CentOS. Or, the selinux filesystem has to be mounted inside the chroot directory. Since I assume the former is never going to happen for CentOS, at least not in time to do me any good, I am looking for an explanation of what the latter means and how it is accomplished. Our current SELinux status on that host is: # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 21 Policy from config file: targeted Our chroot directory path is: /var/data/sshchroot The questions are: 1. Is it possible to mount the selinux filesystem twice on the same host having different roots? 2. If so, then how is this accomplished? 3. If not, then is there anything else that I can do, besides disabling selinux support in the sshd daemon, to get this to work? Sincerely, -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
James B. Byrne wrote:> Note: I am digest subscriber so if you could copy me directly on any > reply to the list I would appreciate it very much. ><snip>> After a modest amount of research we decided that the > best answer was to use a more recent version of OpenSSH (5.3p1)that > supports chroot as a configurable option. >I've not tested it, but I believe the chroot stuff was backported some while ago: # rpm -q --changelog openssh | more * Tue Dec 01 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-40 - close error file descriptor before running external subsystem (#537348) * Tue Sep 15 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-36.2 - minimize chroot patch to be compatible with upstream (#522141) * Tue Jun 23 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-36 - tiny change in chroot sftp capability into openssh-server solve ls speed problem (#440240) * Tue May 26 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-35 - workaround to plaintext recovery attack against CBC ciphers CVE-2008-5161 (#502230) * Fri May 15 2009 Tomas Mraz <tmraz at redhat.com> - 4.3p2-34 - disable protocol 1 in the FIPS mode * Thu Apr 30 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-33 - fix scp hangup on exit (#454812) - call integrity checks only on binaries which are part of the OpenSSH FIPS modules * Mon Apr 20 2009 Tomas Mraz <tmraz at redhat.com> - 4.3p2-32 - log if FIPS mode is initialized (#492363) - check the integrity of the binaries in the FIPS mode (#467268) * Wed Apr 08 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-31 - fix ssh hangup on exit (#454812) * Fri Mar 27 2009 Jan F. Chadima <jchadima at redhat.com> - 4.3p2-30 - add chroot sftp capability into openssh-server (#440240)
Instead, might the use of SCP (instead of sftp subsystem) and a limited shell be able to achieve your goal? I found this when googling for "limited shell": http://lshell.ghantoos.org/ Look at the "Use case". There's also rbash, but on first glance lshell looks quite promising. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
James B. Byrne wrote: <snip>> > The new server software works fine for regular ssh/sftp users. > However, when logging on as a member of the chroot group we obtain > this error: > > ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: > security_getenforce() failed ><snip>> > # sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 21 > Policy from config file: targeted >What happens if you enable SELinux, i.e, set it to enforcing? Do you still see the same error message above?
James B. Byrne
2010-Feb-03 17:37 UTC
[CentOS] OpenSSH-5.3p1 selinux problem on CentOS-5.4.
On Wed, February 3, 2010 12:02, Ned Slider wrote:> > What happens if you enable SELinux, i.e, set it to enforcing? Do you > still see the same error message above? >I have rebuilt the thing without SELinux support and all seems to be working now. Since, other than the sftp user, there are only administrative users that log into the target host via ssh this seems an acceptable approach. I am contemplating running the 5.3p1 version as a separate instance listening on a separate port instead of replacing the CentOS version. Thanks, -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
James B. Byrne
2010-Feb-04 15:18 UTC
[CentOS] OpenSSH-5.3p1 selinux problem on CentOS-5.4.
On Thu, February 4, 2010 10:08, Marc Wiatrowski wrote:> >> >> > Have you looked at using rssh as the users shell? You can limit the > user to a chroot sftp only. Its not stock, but ssh can then be. > > http://dag.wieers.com/rpm/packages/rssh/ >I looked at rssh briefly yesterday when someone suggested it. Had I known of it before we started down this road then we might have used it instead. However, at the moment we seem to have a working solution and so we will stick with that for now. I am not sure what effect disabling SELinux support in SSH actually has from a security standpoint. So, if anyone cares to enlighten me on the the consequences I would like to know. Regards, -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3