# [SELinux] Trouble Logging in Remotely Using SSH

## mtamizi

I'm having trouble with logging in remotely using SSH after copying my version of Hardened Gentoo with SELinux to a new hard drive.  After copying the old drive to the new one, I rebooted and ran `make relabel`.  Everything seems to work fine except for sshd, which worked before I swappep drives.  I even tried following the instrucitons in http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?part=5&chap=3.

I tried the following based on the guide:

```
# rlpkg openssh

# /etc/init.d/sshd restart
```

I still get the following output for `sestatus -v`, which has the incorrect context type for /usr/sbin/sshd:

```
]SELinux status:         enabled

SELinuxfs mount:        /selinux

Current mode:           permissive

Policy version:         15

Process contexts:

Current context:        matin:sysadm_r:sysadm_t

Init context:           system_u:system_r:init_t

/sbin/agetty            system_u:system_r:getty_t

/usr/sbin/sshd          system_u:system_r:initrc_t   ###This should be system_u:system_r:sshd_t

File contexts:

Controlling term:       matin:object_r:sysadm_devpts_t

/sbin/init              system_u:object_r:init_exec_t

/sbin/agetty            system_u:object_r:getty_exec_t

/bin/login              system_u:object_r:login_exec_t

/usr/sbin/sshd          system_u:object_r:sshd_exec_t

/sbin/unix_chkpwd       system_u:object_r:chkpwd_exec_t

/etc/passwd             system_u:object_r:etc_t

/etc/shadow             system_u:object_r:shadow_t

/bin/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t

/bin/bash               system_u:object_r:shell_exec_t

/bin/tcsh               system_u:object_r:shell_exec_t

/bin/csh                system_u:object_r:bin_t -> system_u:object_r:shell_exec_t

/bin/sash               system_u:object_r:shell_exec_t

/usr/bin/gdm            system_u:object_r:bin_t

/usr/X11R6/bin/xdm      system_u:object_r:bin_t

/lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t

/lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:ld_so_t
```

Is this the cause of the problem, if so, how do I fix it?Last edited by mtamizi on Fri Jan 07, 2005 4:45 pm; edited 2 times in total

----------

## mtamizi

The following shows my output for ssh -vvv localhost.  I appreciate any help.

```
$ ssh -vvv localhost

OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: ssh_connect: needpriv 0

debug1: Connecting to localhost [127.0.0.1] port 22.

debug1: Connection established.

.

.

.

Password:

debug3: packet_send2: adding 32 (len 26 padlen 6 extra_pad 64)

debug2: input_userauth_info_req

debug2: input_userauth_info_req: num_prompts 0

debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)

debug1: Authentication succeeded (keyboard-interactive).

debug1: channel 0: new [client-session]

debug3: ssh_session2_open: channel_new: 0

debug2: channel 0: send open

debug1: Entering interactive session.

debug1: channel 0: free: client-session, nchannels 1

debug3: channel 0: status: The following connections are open:

  #0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cfd -1)

debug3: channel 0: close_fds r 4 w 5 e 6 c -1

Connection to localhost closed by remote host.

Connection to localhost closed.

debug1: Transferred: stdin 0, stdout 0, stderr 81 bytes in 0.0 seconds

debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 3708.0

debug1: Exit status -1
```

----------

## mtamizi

sshd log has:

```
Jan  7 11:46:54 [sshd] Accepted keyboard-interactive/pam for matin from 127.0.0.1 port 38168 ssh2

Jan  7 11:46:54 [sshd] PAM pam_putenv: delete non-existent entry; XAUTHORITY

Jan  7 11:46:54 [sshd] fatal: Failed to get default security context for matin.

Jan  7 11:46:54 [sshd] PAM pam_putenv: delete non-existent entry; XAUTHORITY
```

----------

## mtamizi

I can get sshd to start i the proper context by using the following:

```
# runcon system_u:system_r:sshd_t /usr/sbin/sshd
```

However, I still get the following error in my sshd log:

```
[sshd] fatal: Failed to get default security context for matin.
```

What useful information can I gather from this?

----------

## Parksy

 *mtamizi wrote:*   

> I can get sshd to start i the proper context by using the following:
> 
> ```
> # runcon system_u:system_r:sshd_t /usr/sbin/sshd
> ```
> ...

 

I have resolved a problem similar to this one.  I was getting that fatal error message when trying to log in with any non-root user.

I followed the handbook's  troubleshooting section and didn't get any success initially.  However, I have realized that my  problem was not fixed because I was running

```
/etc/init.d/sshd restart
```

 instead of 

```
run_init /etc/init.d/sshd restart
```

I'm running selinux in permissive mode.  According to 

```
sestatus -v
```

 ssh still isn't labelled correctly, but it is working.

----------

## Ritter

I wasn't able to login remotely after making a new policy and restarting sshd.  I tried your suggestion and can now login fine, while the labeling didnt change at all.  Can anyone explain for someone new to selinux what the difference was that resolved this?

----------

## vladgrigorescu

Please add [Solved] to the title.  Thanks!

----------

