Gus Wirth wrote: > I have a Fedora 8 system that I have updated to the latest packages > available except the kernel, which is still at 2.6.23.1-49.fc8. > > With selinux turned on in enforcing mode I can no longer log in using > ssh with my password. If I change selinux to permissive mode, I can log in. > > I have filed a bug report 411461 at <http://bugzilla.redhat.com> with a > few more details. > > Has anyone else seen this, or do you run your systems in permissive mode > and don't notice it?
You could consider this a self-inflicted wound. The selinux policy was written to support sshd password authentication using PAM (Pluggable Authentication Modules). By default, sshd does NOT use PAM unless you tell it to, using an option in the /etc/ssh/sshd_config file: UsePAM yes Without that option, sshd tries to do its own password authentication by directly reading the /etc/shadow file. In this case, reading the file is prohibited by the selinux policy. I had an older sshd_config file that I copied over because it contained entries for the High Performance Networking patch <http://www.psc.edu/networking/projects/hpn-ssh/> as seen in a previous thread. Unfortunately, it had the UsePAM option commented out, and my messing around with the sshd_config file and the update to the selinux policies was coincidental. I have to give accolades to Dan Walsh at Redhat for figuring this out. It never would have occurred to me to check PAM authentication for sshd. Up until recently it had "just worked" and now it does again. Gus -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
