When I try to use 'passwd' through ssh (non-interactive, shell-less
session), the command appears to hang until a Ctrl+C is pressed:
ssh [EMAIL PROTECTED] 'passwd'
Password: <login password correctly inserted>
Killed by signal 2. <after Ctrl+C>
[EMAIL PROTECTED] ~]# echo $?
255
The strange thing: if I try the same thing from an different box (not
RHEL5-based, actually an debian machine) I get the following (note: the
passwords ARE ACTUALLY ECHOED as shown):
-----------cut-here--------------
[EMAIL PROTECTED]:~$ ssh [EMAIL PROTECTED] passwd
Password:
(current) UNIX password: [EMAIL PROTECTED]
Enter new password: [EMAIL PROTECTED]
Weak password: is the same as the old one.
Enter new password: [EMAIL PROTECTED]
Weak password: is the same as the old one.
Enter new password: [EMAIL PROTECTED]
Weak password: is the same as the old one.
passwd: Authentication token manipulation error
Changing password for user ealuser.
Changing password for ealuser
You can now choose the new password or passphrase.
A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use a 12 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes. An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.
A passphrase should be of at least 3 words, 16 to 40 characters
long and contain enough different characters.
Alternatively, if noone else can see your terminal now, you can
pick this as your password: "reject!beer&tomb".
Try again.
You can now choose the new password or passphrase.
A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use a 12 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes. An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.
A passphrase should be of at least 3 words, 16 to 40 characters
long and contain enough different characters.
Alternatively, if noone else can see your terminal now, you can
pick this as your password: "reject;coil:foam".
Try again.
You can now choose the new password or passphrase.
A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use a 12 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes. An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.
A passphrase should be of at least 3 words, 16 to 40 characters
long and contain enough different characters.
Alternatively, if noone else can see your terminal now, you can
pick this as your password: "aerial;mend;rise".
[EMAIL PROTECTED]:~$ echo $?
1
[EMAIL PROTECTED]:~$
---------------------cut-here---------------------------
===========AVCs (prior case)========================
type=USER_AUTH msg=audit(1168099882.949:1175): user pid=3950 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
authentication acct=ealuser : exe="/usr/sbin/sshd"
(hostname=rhel5lspp.example.com, addr=127.0.0.1, terminal=ssh res=success)'
type=USER_ACCT msg=audit(1168099883.029:1176): user pid=3950 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
accounting acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com,
addr=127.0.0.1, terminal=ssh res=success)'
type=CRED_ACQ msg=audit(1168099883.089:1177): user pid=3948 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred
acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com,
addr=127.0.0.1, terminal=ssh res=success)'
type=LOGIN msg=audit(1168099883.105:1178): login pid=3948 uid=0 old
auid=4294967295 new auid=500
type=AVC msg=audit(1168099883.173:1179): avc: granted { setexec } for
pid=3948 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.173:1179): arch=40000003 syscall=4
success=yes exit=40 a0=5 a1=9791e98 a2=28 a3=794771 items=0 ppid=1281 pid=3948
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023
key=(null)
type=AVC msg=audit(1168099883.313:1180): avc: granted { setexec } for
pid=3953 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.313:1180): arch=40000003 syscall=4
success=yes exit=0 a0=5 a1=0 a2=0 a3=794771 items=0 ppid=3948 pid=3953 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd"
exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168099883.421:1181): avc: granted { setexec } for
pid=3954 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.421:1181): arch=40000003 syscall=4
success=yes exit=0 a0=5 a1=0 a2=0 a3=794771 items=0 ppid=3948 pid=3954 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd"
exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168099883.533:1182): avc: granted { setexec } for
pid=3955 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.533:1182): arch=40000003 syscall=4
success=yes exit=0 a0=5 a1=0 a2=0 a3=794771 items=0 ppid=3948 pid=3955 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd"
exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=USER_START msg=audit(1168099883.597:1183): user pid=3948 uid=0 auid=500
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: session open
acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com,
addr=127.0.0.1, terminal=ssh res=success)'
type=CRED_REFR msg=audit(1168099883.625:1184): user pid=3956 uid=0 auid=500
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred acct=ealuser :
exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com, addr=127.0.0.1,
terminal=ssh res=success)'
type=AVC msg=audit(1168099883.693:1185): avc: granted { setexec } for
pid=3956 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.693:1185): arch=40000003 syscall=4
success=yes exit=40 a0=6 a1=9791e10 a2=28 a3=794771 items=0 ppid=3948 pid=3956
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168099883.833:1186): avc: granted { setexec } for
pid=3957 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.833:1186): arch=40000003 syscall=4
success=yes exit=40 a0=4 a1=978bc70 a2=28 a3=794771 items=0 ppid=3956 pid=3957
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168099883.873:1187): avc: denied { read write } for
pid=3957 comm="passwd" name="[21731]" dev=sockfs ino=21731
scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1168099883.873:1187): avc: denied { read write } for
pid=3957 comm="passwd" name="[21731]" dev=sockfs ino=21731
scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1168099883.873:1187): avc: denied { read write } for
pid=3957 comm="passwd" name="[21733]" dev=sockfs ino=21733
scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1168099883.873:1187): arch=40000003 syscall=11
success=yes exit=0 a0=99ab220 a1=99ab4b0 a2=99ab3d0 a3=99ab0e8 items=0
ppid=3956 pid=3957 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500
sgid=500 fsgid=500 tty=(none) comm="passwd" exe="/usr/bin/passwd"
subj=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1168099883.873:1187): path="socket:[21733]"
type=AVC_PATH msg=audit(1168099883.873:1187): path="socket:[21731]"
type=AVC_PATH msg=audit(1168099883.873:1187): path="socket:[21731]"
type=USER_CHAUTHTOK msg=audit(1168099891.409:1188): user pid=3957 uid=500
auid=500 subj=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 msg='PAM: chauthtok
acct=ealuser : exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=?
res=failed)'
type=USER_CHAUTHTOK msg=audit(1168099891.413:1189): user pid=3957 uid=500
auid=500 subj=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 msg='op=change password
id=500 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=? res=failed)'
type=AVC msg=audit(1168099891.429:1190): avc: denied { sigchld } for
pid=3956 comm="sshd" scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099891.429:1190): arch=40000003 syscall=7
success=no exit=-10 a0=ffffffff a1=bfdbaab8 a2=1 a3=bfdbaab8 items=0
ppid=3948 pid=3956 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
================================================================
audit2allow tells me that:
[EMAIL PROTECTED] databases]# tail -100 /var/log/audit/audit.log | audit2allow
allow passwd_t sshd_t:process sigchld;
allow passwd_t sshd_t:unix_stream_socket { read write };
Bug? 'Feature'?
--
Klaus K
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
