On Thu, February 4, 2010 10:08, Marc Wiatrowski wrote:
Have you looked at using rssh as the users shell? You can limit the user to a chroot sftp only. Its not stock, but ssh can then be.
I looked at rssh briefly yesterday when someone suggested it. Had I known of it before we started down this road then we might have used it instead. However, at the moment we seem to have a working solution and so we will stick with that for now.
I am not sure what effect disabling SELinux support in SSH actually has from a security standpoint. So, if anyone cares to enlighten me on the the consequences I would like to know.
Regards,
James B. Byrne wrote:
<snip>
I am not sure what effect disabling SELinux support in SSH actually has from a security standpoint. So, if anyone cares to enlighten me on the the consequences I would like to know.
I was under the impression that sshd runs unconfined in the current CentOS?
$ ps axZ | grep sshd system_u:system_r:unconfined_t:SystemLow-SystemHigh 2766 ? Ss 0:00 /usr/sbin/sshd
For example, you don't need to change the ssh_port in SELinux when running the sshd on an alternative port, I assume because sshd is running unconfined.
Also, it makes little sense to me to run sshd in a confined domain as an ssh login will give the user a login (bash) shell, which also runs unconfined:
$ ps axZ | grep bash user_u:system_r:unconfined_t 8504 pts/3 Ss 0:00 /bin/bash user_u:system_r:unconfined_t 16789 pts/4 Ss 0:00 /bin/bash
Or maybe I totally misunderstand?
On Thu, February 4, 2010 12:00, Ned Slider wrote:
I was under the impression that sshd runs unconfined in the current CentOS?
$ ps axZ | grep sshd system_u:system_r:unconfined_t:SystemLow-SystemHigh 2766 ? Ss 0:00 /usr/sbin/sshd
For example, you don't need to change the ssh_port in SELinux when running the sshd on an alternative port, I assume because sshd is running unconfined.
Also, it makes little sense to me to run sshd in a confined domain as an ssh login will give the user a login (bash) shell, which also runs unconfined:
$ ps axZ | grep bash user_u:system_r:unconfined_t 8504 pts/3 Ss 0:00 /bin/bash user_u:system_r:unconfined_t 16789 pts/4 Ss 0:00 /bin/bash
Or maybe I totally misunderstand?
Interesting. The OpenSSH-5.3p1 sshd that I built without selinux enabled runs in this domain:
# ps axZ | grep sshd user_u:system_r:initrc_t 1981 ? Ss 0:00 /opt/sbin/sshd
Whereas the CentOS-5.4 OpenSSH sshd runs like this: # ps axZ | grep ssh system_u:system_r:unconfined_t:SystemLow-SystemHigh 2681 ? Ss 0:00 /usr/sbin/sshd
-
James B. Byrne -
Ned Slider