[ubuntu-hardened] allow ssh using selinux in permissive mode

Stephen Carpenter, KSC sjc at carpanet.net
Wed Dec 19 20:29:33 UTC 2012


On Wed, Dec 19, 2012 at 05:22:10PM +0530, sruthi mohan wrote:
> Hi,
> I have installed SELinux on ubuntu 11.10,Selinux is in permissive mode.
> I am unable to connect remotely through ssh.
> i have done semodule -DB  I did not find any ssh related messages on
> audit.log.

Permissive mode logs rather than blocks, so I am skeptical that its the
cause. If SELinux was the issue, I would expect it to log errors but work
anyway. If nothing is logged, then SELinux likely blocked nothing. 

Check the auth.log - that is where you will typically find ssh messages.

Then I would look into using "ssh -vvv" when connecting, look for where
it is failing. If that wasn't terribly telling, I would start
looking to turn on sshd debugging, capture packets with tcpdump, and
turn on pam debuggging, roughly in that order. 

If you REALLY think it is still selinux, try rebooting with it completly
disabled on boot. It is more likely you are seeing an account or auth issue.
Could be anything from a bad shell or file/firectory permissions, to a bad
pam config, or even too many keys in your ssh agent (not sure if this changes with versions but I have seen each one count as an auth attempt... causing it to fail before getting to password auth) 

Good luck, ssh/auth issues can be finicky.... even with selinux disabled.

-Steve
-- 
"I may grow rich by an art I am compelled to follow; I may recover
 health by medicines I am compelled to take against my own judgment;
 but I cannot be saved by a worship I disbelieve and abhor."
               -- Thomas Jefferson



More information about the ubuntu-hardened mailing list