Hello,
With the RBAC system enabled I try to ssh onto the 2.6.11 kernel and I get the following error message.
ssh_exchange_identification: Connection closed by remote host
Then I cannot logon.
Does anyone know what I have to add to the acl in order to make ssh work?
In learning mode I know that I ssh'ed onto the box many times from different client locations.
The screen error says:
(default:D:/usr/sbin/sshd) denied open of /proc/14128/mounts for reading by /usr/sbin/sshd[sshd:14128] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:31076] uid/euid:0/0 gid/egid:0/0
The acl rule is:
subject /usr/sbin/sshd o {
user_transition_allow root
group_transition_allow root
/
/bin h
/bin/bash
/dev h
/dev/log rw
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/urandom r
/etc r
/etc/grsec h
/lib rx
/usr h
/usr/lib rx
/usr/sbin h
/usr/sbin/sshd x
/var h
/var/empty/sshd
/var/log
/var/log/lastlog rw
/var/log/wtmp w
/var/run/utmp rw
/proc r
/proc/kcore h
/proc/bus h
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
bind this_box_ip_address/32:22 stream tcp
bind 0.0.0.0/32:0 dgram ip
connect my_dns_server/32:53 dgram udp
}
SSH from remote location error -2.6.11
4 posts
• Page 1 of 1
SSH from remote location error -2.6.11
by pac_red » Mon May 09, 2005 9:45 am
- pac_red
- Posts: 7
- Joined: Fri Sep 17, 2004 7:01 pm
me too
by bmcmurphy » Tue May 10, 2005 8:23 pm
I've had the same problem with 2.6.11. I'm wasn't convinced it was due to RBAC though, because after sshd gets into this state, disabling grsecurity doesn't fix the problem. In order to fix it, I usually have to restart sshd, although sometimes just killing a few of the sshd processes is enough.
If you disable grsec, does sshd start accepting connections again?
Jim
If you disable grsec, does sshd start accepting connections again?
Jim
- bmcmurphy
- Posts: 13
- Joined: Wed Dec 11, 2002 10:53 am
sshd 4.0
by bmcmurphy » Fri May 13, 2005 4:19 pm
I just upgraded to sshd 4.0p1 and this problem has gone away for me. However, if I set my policy to restrict access to /etc for sshd, the entire system slows to a crawl when an ssh client connects.
I ended up having to give read access to certain files such as /etc/passwd, /etc/ldap.conf, and a bunch of other ones, and used ext3 ACLs to restrict access on those same files. It's an ugly workaround, but the performance is fast and the files are still safe.
Cheers,
bmc
I ended up having to give read access to certain files such as /etc/passwd, /etc/ldap.conf, and a bunch of other ones, and used ext3 ACLs to restrict access on those same files. It's an ugly workaround, but the performance is fast and the files are still safe.
Cheers,
bmc
- bmcmurphy
- Posts: 13
- Joined: Wed Dec 11, 2002 10:53 am
4 posts
• Page 1 of 1