Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doc: Use debug_file with sshd and SELinux #196

Merged
merged 3 commits into from
Jul 1, 2019
Merged

Doc: Use debug_file with sshd and SELinux #196

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
da79e1d
Rename and update SELinux doc
zypA13510 Jun 27, 2019
43d5c39
Update SELinux doc
zypA13510 Jun 27, 2019
4d8d39d
Fix filename in makefile
zypA13510 Jun 28, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ dist_man8_MANS = pam_yubico.8
DISTCLEANFILES = $(dist_man1_MANS) $(dist_man8_MANS)

MANSOURCES = pam_yubico.8.txt ykpamcfg.1.txt
EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/YubiKey_and_Radius_via_PAM.adoc doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc doc/YubiKey_and_SSH_via_PAM.adoc
EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/YubiKey_and_Radius_via_PAM.adoc doc/YubiKey_and_SELinux.adoc doc/YubiKey_and_SSH_via_PAM.adoc
EXTRA_DIST += $(MANSOURCES)
EXTRA_DIST += tests/aux/ykval.pl tests/aux/ldap.pl tests/aux/authfile

Expand Down
12 changes: 12 additions & 0 deletions ...iKey_and_SELinux_on_Fedora_18_and_up.adoc → doc/YubiKey_and_SELinux.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
== Enable HTTP connection for sshd

Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke YubiKey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled.

Based on a https://bugzilla.redhat.com/show_bug.cgi?id=841693[bugreport] in Red Hat Bugzilla, a boolean was added to the SELinux policy for Fedora 18 and up, that can be toggled to allow sshd (and some other SELinux types) to connect to remote HTTP ports.
Expand All @@ -9,3 +11,13 @@ To make a long story short, if you want to use a YubiKey on a system running Fed
If you are using your own server via `urllist`/`url` in the pam conf file and using a non-standard http port, you will need to add that port to the `http_port_t` port list. For example, port `12345`:

semanage port -a -t http_port_t -p tcp 12345

== Enable debug_file support for sshd

By default, SELinux prevents sshd from opening local files other than SSH configuration files. If you would like to debug this module using `debug` and `debug_file` parameters, you may need to temporarily relax your SELinux confinement:

setenforce permissive

Don't forget to re-enable SELinux once you're done:

setenforce enforcing