Package: openssh-server Version: 1:4.6p1-2 Severity: grave Justification: causes non-serious data loss
I just upgraded to this version of openssh on a system with SELinux enabled but in permissive mode. Thank goodness I left an SSH session open: connections after that succeeded at authentication, but were immediately closed by the server. The following log messages appeared: Jun 27 09:56:07 teleri sshd[12293]: pam_selinux: Open Session Jun 27 09:56:07 teleri sshd[12293]: Unable to get valid context for bts, No valid tty Jun 27 09:56:07 teleri sshd[12293]: error: PAM: pam_open_session(): Authentication failure Jun 27 09:56:07 teleri sshd[12293]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for bts Jun 27 09:56:07 teleri sshd[12293]: fatal: ssh_selinux_getctxbyname: Failed to get default SELinux security context for bts (in enforcing mode) The machine was actually in permissive mode, though it had been booted in enforcing mode. After I downgraded to the testing 4.3 package, I saw messages that correctly acknowledged that the machine was in permissive mode: Jun 27 10:01:32 teleri sshd[12501]: error: Failed to get default security context for bts.Continuing in permissive mode Jun 27 10:01:32 teleri sshd[12499]: error: Failed to get default security context for bts.Continuing in permissive mode So it looks like sshd's check for enforcing mode is broken. This behavior persisted regardless of whether I had sshd set to use PAM, and regardless of whether pam_selinux was enabled in /etc/pam.d/ssh -Brian -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (300, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.21-1-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages openssh-server depends on: ii adduser 3.103 Add and remove users and groups ii debconf 1.5.13 Debian configuration management sy ii dpkg 1.14.4 package maintenance system for Deb ii libc6 2.5-11 GNU C Library: Shared libraries ii libcomer 1.39+1.40-WIP-2007.04.07+dfsg-2 common error description library ii libkrb53 1.6.dfsg.1-5 MIT Kerberos runtime libraries ii libpam-m 0.79-4 Pluggable Authentication Modules f ii libpam-r 0.79-4 Runtime support for the PAM librar ii libpam0g 0.79-4 Pluggable Authentication Modules l ii libselin 2.0.15-2 SELinux shared libraries ii libssl0. 0.9.8e-5 SSL shared libraries ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip ii openssh- 1:4.6p1-2 secure shell client, an rlogin/rsh ii zlib1g 1:1.2.3.3.dfsg-2 compression library - runtime openssh-server recommends no packages. -- debconf information: ssh/insecure_rshd: ssh/insecure_telnetd: ssh/new_config: true * ssh/use_old_init_script: true * ssh/disable_cr_auth: false ssh/encrypted_host_key_but_no_keygen: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
