Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1813388 - SELinux is preventing SSHD from authenticating user using pub key
Summary: SELinux is preventing SSHD from authenticating user using pub key
Keywords:
Status: CLOSED DUPLICATE of bug 1813023
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-13 16:43 UTC by Tristan Cacqueray
Modified: 2020-03-13 16:55 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-13 16:55:01 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Tristan Cacqueray 2020-03-13 16:43:36 UTC 
Description of problem: When trying to ssh it fails with:
ssh -i /var/lib/zuul/.ssh/id_rsa zuul-worker@host
packet_write_wait: Connection to host port 22: Broken pipe

Version-Release number of selected component (if applicable):
This is happening with a rawhide cloud image that is updated periodically.

How reproducible:
Using Fedora-Cloud-Base-Rawhide-20200313.n.0.x86_64.qcow2


Steps to Reproduce:
1. Create an user
2. Add public key
3. Try to ssh

Actual results:
ssh fail with 'Broken pipe'

Expected results:
ssh works

Additional info:
In audit.log there is:
```
type=CRYPTO_KEY_USER msg=audit(1584116606.362:316): pid=860 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=negotiate kind=auth-key fp=SHA256:e6:68:59:06:36:dc:c6:2b:64:90:e5:10:5c:88:d2:0f:7a:83:ef:d6:93:8c:d7:a5:ee:63:36:76:41:c0:dd:b1 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1584116606.384:317): pid=860 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix acct="zuul-worker" exe="/usr/sbin/sshd" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=success'UID="root" AUID="unset"
type=CRYPTO_KEY_USER msg=audit(1584116606.392:318): pid=860 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=861 suid=74 rport=59236 laddr=127.0.0.1 lport=22  exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'UID="root" AUID="unset" SUID="sshd"
type=CRED_ACQ msg=audit(1584116606.399:319): pid=860 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="zuul-worker" exe="/usr/sbin/sshd" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=success'UID="root" AUID="unset"
type=LOGIN msg=audit(1584116606.403:320): pid=860 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=8 res=1UID="root" OLD-AUID="unset" AUID="zuul-worker"
type=AVC msg=audit(1584116606.405:321): avc:  denied  { create } for  pid=860 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=0
type=ANOM_ABEND msg=audit(1584116606.406:322): auid=1000 uid=0 gid=0 ses=8 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 pid=860 comm="sshd" exe="/usr/sbin/sshd" sig=6 res=1AUID="zuul-worker" UID="root" GID="root"
```
Comment 1 Petr Lautrbach 2020-03-13 16:55:01 UTC 
Please update selinux-policy to selinux-policy-3.14.6-8.fc33 - https://koji.fedoraproject.org/koji/buildinfo?buildID=1477233

*** This bug has been marked as a duplicate of bug 1813023 ***
Note You need to log in before you can comment on or make changes to this bug.