Fedora-Xfce-armhfp-21-20140815-sda.raw.xz problems with sshd

[Robert Moskowitz]

My cubieboard2 does not have an rtc, so at boot time the clock is at the 
epoche start.  Once the network is up, then NTP sets the clock.

So I tried connecting to SSH after the install and got:
Read from socket failed: Connection reset by peer

systemctl status sshd.service, said something about could not read keys, 
so I checked and found:

# ls /etc/ssh/ -ls
total 252
240 -rw-r--r--. 1 root root     242153 Jul 18 19:50 moduli
  4 -rw-r--r--. 1 root root       2121 Jul 18 19:50 ssh_config
  8 -rw-------. 1 root root       4400 Aug 15 14:45 sshd_config
  0 -rw-r-----. 1 root ssh_keys      0 Dec 31  1969 ssh_host_ecdsa_key
  0 -rw-r--r--. 1 root root          0 Dec 31  1969 ssh_host_ecdsa_key.pub
  0 -rw-r-----. 1 root ssh_keys      0 Dec 31  1969 ssh_host_ed25519_key
  0 -rw-r--r--. 1 root root          0 Dec 31  1969 
ssh_host_ed25519_key.pub
  0 -rw-r-----. 1 root ssh_keys      0 Dec 31  1969 ssh_host_rsa_key
  0 -rw-r--r--. 1 root root          0 Dec 31  1969 ssh_host_rsa_key.pub


I stopped sshd, deleted the key files, restarted sshd and now:

# ls /etc/ssh/ -ls
total 272
240 -rw-r--r--. 1 root root     242153 Jul 18 19:50 moduli
  8 -rw-------. 1 root root       4400 Aug 15 14:45 sshd_config
  4 -rw-r-----. 1 root ssh_keys    227 Aug 15 14:53 ssh_host_ecdsa_key
  4 -rw-r--r--. 1 root root        162 Aug 15 14:53 ssh_host_ecdsa_key.pub
  4 -rw-r-----. 1 root ssh_keys    387 Aug 15 14:53 ssh_host_ed25519_key
  4 -rw-r--r--. 1 root root         82 Aug 15 14:53 
ssh_host_ed25519_key.pub
  4 -rw-r-----. 1 root ssh_keys   1675 Aug 15 14:53 ssh_host_rsa_key
  4 -rw-r--r--. 1 root root        382 Aug 15 14:53 ssh_host_rsa_key.pub

And I can connect.

So this is a problem with ssh that it will not properly make the keys 
when the system date is that old.

related, I move the sshd port, and update SELinux policy with:

semanage port -a -t ssh_port_t -p tcp 1234

and got the following messages:

[ 1828.788735] SELinux:  Permission audit_read in class capability2 not 
defined in policy.
[ 1828.796870] SELinux: the above unknown classes and permissions will 
be allowed
[ 1829.450779] SELinux:  Context 
system_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 1831.528160] SELinux:  Context 
system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 1832.890157] SELinux:  Context 
unconfined_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
[ 1834.966398] SELinux:  Context 
unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid 
(unmapped).

But it seems to have worked.  That is SSH can be reached at the changed 
port.  And yes, I also did the firewall-cmd for the new port number.


--
test mailing list
test@lists.fedoraproject.org
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test