Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

problem using sshd inside a LXC container

 

 

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


hans at atbas

Oct 24, 2011, 4:38 AM

Post #1 of 2 (441 views)
Permalink
problem using sshd inside a LXC container

Currently I have a RH6.1 host with selinux enabled
On this I am running a LXC container with ubuntu (without selinux) with
OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009


when I try to do a ssh connection to the lxc container I get :
...
debug1: Next authentication method: password
root [at] 192's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions [at] openssh
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: channel 0: free: client-session, nchannels 1
Connection to 192.168.2.11 closed by remote host.
Connection to 192.168.2.11 closed.
Transferred: sent 1728, received 1784 bytes, in 0.1 seconds
Bytes per second: sent 16426.3, received 16958.6
debug1: Exit status -1


Inside the container I can see an error in the auth.log:

Oct 24 11:14:11 art01 sshd[1703]: pam_unix(sshd:session): session
opened for user root by (uid=0)
Oct 24 11:14:11 art01 sshd[1703]: fatal: ssh_selinux_getctxbyname:
ssh_selinux_getctxbyname: security_getenforce() failed
Oct 24 11:14:11 art01 sshd[1703]: pam_unix(sshd:session): session
closed for user root


Now I assume I have a problem because inside the container selinux is
disabled...
If so, is there a way to tell the sshd inside the container to ignore
the selinux check....

Hans
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


dtucker at zip

Oct 24, 2011, 8:28 PM

Post #2 of 2 (432 views)
Permalink
Re: problem using sshd inside a LXC container [In reply to]

On 24/10/11 10:38 PM, Hans Harder wrote:
> Currently I have a RH6.1 host with selinux enabled
> On this I am running a LXC container with ubuntu (without selinux) with
> OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
[...]
> Now I assume I have a problem because inside the container selinux is
> disabled...
> If so, is there a way to tell the sshd inside the container to ignore
> the selinux check....

sshd has no knobs for this. The code in openbsd-compat/port-linux.c
looks roughly like this (assuming it's not been changed by debian or
ubuntu):

r = get_default_context(sename, NULL, &sc);
if (r != 0) {
switch (security_getenforce()) {
case -1:
fatal("%s: ssh_selinux_getctxbyname: "
"security_getenforce() failed", __func__);

so if you could get get_default_context() to return zero then it won't
fatal out, but I don't know enough selinux and/or lxc to know if that's
possible. Failing that, you'd probably have to hack sshd.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.