[redhat-lspp] passwd issues through ssh

Stephen Smalley sds at tycho.nsa.gov
Fri Jan 5 15:31:28 UTC 2007 

On Thu, 2007-01-04 at 10:55 -0200, Klaus Heinrich Kiwi wrote:
> When I try to use 'passwd' through ssh (non-interactive, shell-less
> session), the command appears to hang until a Ctrl+C is pressed:
> 
> ssh user at localhost 'passwd'
> Password: <login password correctly inserted>
> Killed by signal 2. <after Ctrl+C>
> [root at rhel5lspp ~]# echo $?                                                                                                 
> 255
> 
> The strange thing: if I try the same thing from an different box (not
> RHEL5-based, actually an debian machine) I get the following (note: the
> passwords ARE ACTUALLY ECHOED as shown):
> 
> -----------cut-here--------------
> klausk at klausk:~$ ssh ealuser at zaphod passwd
> Password: 
> (current) UNIX password: 1234!@#$qwer
> Enter new password: 1234!@#$qwer
> Weak password: is the same as the old one.
> Enter new password: 1234!@#$qwer
> Weak password: is the same as the old one.
> Enter new password: 1234!@#$qwer
> Weak password: is the same as the old one.
> passwd: Authentication token manipulation error
> Changing password for user ealuser.
> Changing password for ealuser
> 
> You can now choose the new password or passphrase.
> 
> A valid password should be a mix of upper and lower case letters,
> digits, and other characters.  You can use a 12 character long
> password with characters from at least 3 of these 4 classes, or
> an 8 character long password containing characters from all the
> classes.  An upper case letter that begins the password and a
> digit that ends it do not count towards the number of character
> classes used.
> 
> A passphrase should be of at least 3 words, 16 to 40 characters
> long and contain enough different characters.
> 
> Alternatively, if noone else can see your terminal now, you can
> pick this as your password: "reject!beer&tomb".
> 
> Try again.
> 
> You can now choose the new password or passphrase.
> 
> A valid password should be a mix of upper and lower case letters,
> digits, and other characters.  You can use a 12 character long
> password with characters from at least 3 of these 4 classes, or
> an 8 character long password containing characters from all the
> classes.  An upper case letter that begins the password and a
> digit that ends it do not count towards the number of character
> classes used.
> 
> A passphrase should be of at least 3 words, 16 to 40 characters
> long and contain enough different characters.
> 
> Alternatively, if noone else can see your terminal now, you can
> pick this as your password: "reject;coil:foam".
> 
> Try again.
> 
> You can now choose the new password or passphrase.
> 
> A valid password should be a mix of upper and lower case letters,
> digits, and other characters.  You can use a 12 character long
> password with characters from at least 3 of these 4 classes, or
> an 8 character long password containing characters from all the
> classes.  An upper case letter that begins the password and a
> digit that ends it do not count towards the number of character
> classes used.
> 
> A passphrase should be of at least 3 words, 16 to 40 characters
> long and contain enough different characters.
> 
> Alternatively, if noone else can see your terminal now, you can
> pick this as your password: "aerial;mend;rise".
> 
> klausk at klausk:~$ echo $?
> 1
> klausk at klausk:~$ 
> ---------------------cut-here---------------------------
> 
> ===========AVCs (prior case)========================
> type=USER_AUTH msg=audit(1168099882.949:1175): user pid=3950 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: authentication acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com, addr=127.0.0.1, terminal=ssh res=success)'
> type=USER_ACCT msg=audit(1168099883.029:1176): user pid=3950 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: accounting acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com, addr=127.0.0.1, terminal=ssh res=success)'
> type=CRED_ACQ msg=audit(1168099883.089:1177): user pid=3948 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com, addr=127.0.0.1, terminal=ssh res=success)'
> type=LOGIN msg=audit(1168099883.105:1178): login pid=3948 uid=0 old auid=4294967295 new auid=500
> type=AVC msg=audit(1168099883.173:1179): avc:  granted  { setexec } for  pid=3948 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1168099883.173:1179): arch=40000003 syscall=4 success=yes exit=40 a0=5 a1=9791e98 a2=28 a3=794771 items=0 ppid=1281 pid=3948 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
> type=AVC msg=audit(1168099883.313:1180): avc:  granted  { setexec } for  pid=3953 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1168099883.313:1180): arch=40000003 syscall=4 success=yes exit=0 a0=5 a1=0 a2=0 a3=794771 items=0 ppid=3948 pid=3953 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
> type=AVC msg=audit(1168099883.421:1181): avc:  granted  { setexec } for  pid=3954 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1168099883.421:1181): arch=40000003 syscall=4 success=yes exit=0 a0=5 a1=0 a2=0 a3=794771 items=0 ppid=3948 pid=3954 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
> type=AVC msg=audit(1168099883.533:1182): avc:  granted  { setexec } for  pid=3955 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1168099883.533:1182): arch=40000003 syscall=4 success=yes exit=0 a0=5 a1=0 a2=0 a3=794771 items=0 ppid=3948 pid=3955 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
> type=USER_START msg=audit(1168099883.597:1183): user pid=3948 uid=0 auid=500 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: session open acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com, addr=127.0.0.1, terminal=ssh res=success)'
> type=CRED_REFR msg=audit(1168099883.625:1184): user pid=3956 uid=0 auid=500 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com, addr=127.0.0.1, terminal=ssh res=success)'
> type=AVC msg=audit(1168099883.693:1185): avc:  granted  { setexec } for  pid=3956 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1168099883.693:1185): arch=40000003 syscall=4 success=yes exit=40 a0=6 a1=9791e10 a2=28 a3=794771 items=0 ppid=3948 pid=3956 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
> type=AVC msg=audit(1168099883.833:1186): avc:  granted  { setexec } for  pid=3957 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1168099883.833:1186): arch=40000003 syscall=4 success=yes exit=40 a0=4 a1=978bc70 a2=28 a3=794771 items=0 ppid=3956 pid=3957 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
> type=AVC msg=audit(1168099883.873:1187): avc:  denied  { read write } for  pid=3957 comm="passwd" name="[21731]" dev=sockfs ino=21731 scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=unix_stream_socket
> type=AVC msg=audit(1168099883.873:1187): avc:  denied  { read write } for  pid=3957 comm="passwd" name="[21731]" dev=sockfs ino=21731 scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=unix_stream_socket
> type=AVC msg=audit(1168099883.873:1187): avc:  denied  { read write } for  pid=3957 comm="passwd" name="[21733]" dev=sockfs ino=21733 scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=unix_stream_socket
> type=SYSCALL msg=audit(1168099883.873:1187): arch=40000003 syscall=11 success=yes exit=0 a0=99ab220 a1=99ab4b0 a2=99ab3d0 a3=99ab0e8 items=0 ppid=3956 pid=3957 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="passwd" exe="/usr/bin/passwd" subj=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 key=(null)
> type=AVC_PATH msg=audit(1168099883.873:1187):  path="socket:[21733]"
> type=AVC_PATH msg=audit(1168099883.873:1187):  path="socket:[21731]"
> type=AVC_PATH msg=audit(1168099883.873:1187):  path="socket:[21731]"
> type=USER_CHAUTHTOK msg=audit(1168099891.409:1188): user pid=3957 uid=500 auid=500 subj=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 msg='PAM: chauthtok acct=ealuser : exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=? res=failed)'
> type=USER_CHAUTHTOK msg=audit(1168099891.413:1189): user pid=3957 uid=500 auid=500 subj=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 msg='op=change password id=500 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=? res=failed)'
> type=AVC msg=audit(1168099891.429:1190): avc:  denied  { sigchld } for  pid=3956 comm="sshd" scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1168099891.429:1190): arch=40000003 syscall=7
> success=no exit=-10 a0=ffffffff a1=bfdbaab8 a2=1 a3=bfdbaab8 items=0
> ppid=3948 pid=3956 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd"
> subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
> ================================================================
> 
> 
> audit2allow tells me that:
> [root at rhel5lspp databases]# tail -100 /var/log/audit/audit.log | audit2allow 
> allow passwd_t sshd_t:process sigchld;
> allow passwd_t sshd_t:unix_stream_socket { read write };
> 
> 
> Bug? 'Feature'?

Seems like a bug in policy.

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list