Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSH secure configuration example fails on CentOS due to SELinux policy #271

Closed
geerlingguy opened this issue May 20, 2020 · 1 comment
Closed

Comments

@geerlingguy
Copy link
Owner

geerlingguy commented May 20, 2020

The current example:

    - name: Update SSH configuration to be more secure.
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
      with_items:
        - regexp: "^PasswordAuthentication"
          line: "PasswordAuthentication no"
        - regexp: "^PermitRootLogin"
          line: "PermitRootLogin no"
        - regexp: "^Port"
          line: "Port 2849"
      notify: restart ssh

Fails and you get the following in your logs on CentOS servers when sshd is restarted by the handler:

May 20 02:34:00 ip-172-31-91-174 polkitd[517]: Registered Authentication Agent for unix-process:1588:20133 (system bus name :1.29 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 20 02:34:00 ip-172-31-91-174 sshd[1594]: error: Bind to port 2849 on 0.0.0.0 failed: Permission denied.
May 20 02:34:00 ip-172-31-91-174 sshd[1594]: error: Bind to port 2849 on :: failed: Permission denied.
May 20 02:34:00 ip-172-31-91-174 sshd[1594]: fatal: Cannot bind any address.
May 20 02:34:00 ip-172-31-91-174 polkitd[517]: Unregistered Authentication Agent for unix-process:1588:20133 (system bus name :1.29, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

You have to grant the privilege via SELinux: semanage port -a -t ssh_port_t -p tcp 4444

So on Red Hat / CentOS, the following task should be added prior to the lineinfile task:

    - name: Allow sshd to listen on tcp port 2849.
      seport:
        ports: 2849
        proto: tcp
        setype: ssh_port_t
        state: present
@geerlingguy
Copy link
Owner Author

geerlingguy commented Jul 21, 2020

Fixed in the manuscript; this will be in the book's next version. I added a note after the example in the text for those using Red Hat / CentOS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant