-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages
sshd.service: main process exited, code=exited, status=255/n/a
Not a very helpful error message. Sounds like I should report a bug?
Thanks, Mike
On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote:
I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages
sshd.service: main process exited, code=exited, status=255/n/aNot a very helpful error message. Sounds like I should report a bug?
If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running:
semanage port -a -t ssh_port_t -p tcp $PORTNUM
(replace $PORTNUM with the new port number you chose)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
This was a "minimal" install for a virtual server and semanage is not available so the command doesn't work...
What package is semanage in?
Mike
On 07/09/2014 10:45 AM, Jonathan Billings wrote:
On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote:
I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages
sshd.service: main process exited, code=exited, status=255/n/aNot a very helpful error message. Sounds like I should report a bug?
If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running:
semanage port -a -t ssh_port_t -p tcp $PORTNUM
(replace $PORTNUM with the new port number you chose)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SELinux is not running. Any other ideas?
Mike
On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote:
This was a "minimal" install for a virtual server and semanage is not available so the command doesn't work...
What package is semanage in?
Mike
On 07/09/2014 10:45 AM, Jonathan Billings wrote:
On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote:
I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages
sshd.service: main process exited, code=exited, status=255/n/aNot a very helpful error message. Sounds like I should report a bug?
If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running:
semanage port -a -t ssh_port_t -p tcp $PORTNUM
(replace $PORTNUM with the new port number you chose)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Jul 09, 2014, at 08:54 AM, "Mike McCarthy, W1NR" sysop@w1nr.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SELinux is not running. Any other ideas?
Mike
I did a google search on "how to install semanage" and found this:
http://www.cyberciti.biz/faq/redhat-install-semanage-selinux-command-rpm/
-wes
On 07/09/2014 10:54 AM, Mike McCarthy, W1NR wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SELinux is not running. Any other ideas?
Did you update your IPTable? I change my SSHD port all the time. One of the first things I do on setting up a server. I know this is just obfusication, but it stops the robot noise. There are five steps:
edit /etc/ssh/sshd_config edit IPtables add ssh policy for new port restart sshd restart iptables
Mike
On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote:
This was a "minimal" install for a virtual server and semanage is not available so the command doesn't work...
What package is semanage in?
Mike
On 07/09/2014 10:45 AM, Jonathan Billings wrote:
On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote:
I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages
sshd.service: main process exited, code=exited, status=255/n/aNot a very helpful error message. Sounds like I should report a bug?
If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running: semanage port -a -t ssh_port_t -p tcp $PORTNUM (replace $PORTNUM with the new port number you chose)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlO9V6MACgkQW1M1BMdnYxlQ/wCfW51oVgxhq0GD+/ZPx1rcOZ2G qvQAoJ3LPBmy+mYA9oSIBHJe5Q2gfB+R =Vsyr -----END PGP SIGNATURE-----
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Not using IPTables. Using firewalld and yes, I opened the new port there as well.
Mike
On 07/09/2014 11:08 AM, Robert Moskowitz wrote:
On 07/09/2014 10:54 AM, Mike McCarthy, W1NR wrote: SELinux is not running. Any other ideas?
Did you update your IPTable? I change my SSHD port all the time.
One of
the first things I do on setting up a server. I know this is just obfusication, but it stops the robot noise. There are five steps:
edit /etc/ssh/sshd_config edit IPtables add ssh policy for new port restart sshd restart iptables
Mike
On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote:
This was a "minimal" install for a virtual server and semanage is not available so the command doesn't work...
What package is semanage in?
Mike
On 07/09/2014 10:45 AM, Jonathan Billings wrote:
On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote:
I am having a problem getting sshd to run after changing it's
default
port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages
sshd.service: main process exited, code=exited, status=255/n/aNot a very helpful error message. Sounds like I should report a bug?
If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running: semanage port -a -t ssh_port_t -p tcp $PORTNUM (replace $PORTNUM with the new port number you chose)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wed, Jul 09, 2014 at 10:54:29AM -0400, Mike McCarthy, W1NR wrote:
SELinux is not running. Any other ideas?
Checking the firewall is useful, but it sounds like you can't get the service to start in the first place.
It might be helpful if you gave us the full error output. Do you get more information by running:
systemctl status -l sshd.service
... after running the systemctl start?
Nothing more than what was in messages namely 'code=exited, status=255/n/a' which looks an awful lot like a printf of an uninitialized variable...
Mike
On 07/09/2014 11:21 AM, Jonathan Billings wrote:
On Wed, Jul 09, 2014 at 10:54:29AM -0400, Mike McCarthy, W1NR wrote:
SELinux is not running. Any other ideas?
Checking the firewall is useful, but it sounds like you can't get the service to start in the first place.
It might be helpful if you gave us the full error output. Do you get more information by running:
systemctl status -l sshd.service
... after running the systemctl start?
On 07/09/2014 09:54 AM, Mike McCarthy, W1NR wrote:
SELinux is not running. Any other ideas?
Are you sure? (It's enabled by default.)
What does 'getenforce' say?
Well, getenforce says enforcing but 'systemctl status selinux' says 'Active: inactive (dead)' ?
Mike
On 07/09/2014 11:45 AM, Ian Pilcher wrote:
On 07/09/2014 09:54 AM, Mike McCarthy, W1NR wrote:
SELinux is not running. Any other ideas?
Are you sure? (It's enabled by default.)
What does 'getenforce' say?
On Wed, Jul 09, 2014 at 11:57:21AM -0400, Mike McCarthy, W1NR wrote:
Well, getenforce says enforcing but 'systemctl status selinux' says 'Active: inactive (dead)' ?
Sounds like you have SELinux enabled. It's not a service. If you look at the line right above the Active line you pasted, you'd see a line that said: "Loaded: not-found (Reason: No such file or directory)"
It'll say that about anything that doesn't actually exist:
# systemctl status selinux selinux.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead)
# systemctl status asasdklfjhaskdfhj asasdklfjhaskdfhj.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead)
I suggest installing the policycoreutils-python package and run the semanage command I mentioned earlier.
After installing the correct utilities and setting the port with semanage, it now works. Thanks to all for this one. Looks like I got some real work to do moving from 6 to 7 and understanding the massive management changes that were made.
Mike
On 07/09/2014 12:04 PM, Jonathan Billings wrote:
I suggest installing the policycoreutils-python package and run the semanage command I mentioned earlier.
On 2014-07-09, Mike McCarthy, W1NR sysop@w1nr.net wrote:
After installing the correct utilities and setting the port with semanage, it now works. Thanks to all for this one. Looks like I got some real work to do moving from 6 to 7 and understanding the massive management changes that were made.
If I understand the problem (and its solution) correctly, this is not a 6-to-7 migration issue. The same SELinux fix would be required in CentOS 6.
On 09.Jul.2014, at 18:44, Liam O'Toole liam.p.otoole@gmail.com wrote:
On 2014-07-09, Mike McCarthy, W1NR sysop@w1nr.net wrote:
After installing the correct utilities and setting the port with semanage, it now works. Thanks to all for this one. Looks like I got some real work to do moving from 6 to 7 and understanding the massive management changes that were made.
If I understand the problem (and its solution) correctly, this is not a 6-to-7 migration issue. The same SELinux fix would be required in CentOS 6.
That was my thought too. Athough the error message presented to Mike is not very helpful and maybe worth a bugzilla.
My COS6 server never required me to do that even though SELinux is enabled there (I didn't even know it was until today). Before I even posted the first help I tried the semanage command and found that it was not installed so I assumed wrongly that SELinux was not enabled.
Mike
On 07/09/2014 01:34 PM, Markus Falb wrote:
On 09.Jul.2014, at 18:44, Liam O'Toole liam.p.otoole@gmail.com wrote:
On 2014-07-09, Mike McCarthy, W1NR sysop@w1nr.net wrote:
After installing the correct utilities and setting the port with semanage, it now works. Thanks to all for this one. Looks like I got some real work to do moving from 6 to 7 and understanding the massive management changes that were made.
If I understand the problem (and its solution) correctly, this is not a 6-to-7 migration issue. The same SELinux fix would be required in CentOS 6.
That was my thought too. Athough the error message presented to Mike is not very helpful and maybe worth a bugzilla.
Mike McCarthy, W1NR wrote:
My COS6 server never required me to do that even though SELinux is enabled there (I didn't even know it was until today). Before I even posted the first help I tried the semanage command and found that it was not installed so I assumed wrongly that SELinux was not enabled.
<snip> Just remember, getenforce is the true answer.
mark, who really doesn't like selinux....*
* One of my annual goals: fix selinux permissions to SHUT IT UP, even when most servers are in permissive mode.....
On 07/09/2014 02:36 PM, m.roth@5-cent.us wrote:
Mike McCarthy, W1NR wrote:
My COS6 server never required me to do that even though SELinux is enabled there (I didn't even know it was until today). Before I even posted the first help I tried the semanage command and found that it was not installed so I assumed wrongly that SELinux was not enabled.
<snip> Just remember, getenforce is the true answer.
mark, who really doesn't like selinux....*
- One of my annual goals: fix selinux permissions to SHUT IT UP, even when
most servers are in permissive mode.....
Doesn't permissive mode mean don't enforce but tell me what you would not have liked?
Perhaps another mode is needed? Quite mode? And then maybe to temporarily change it to permissive when you make a change?
Robert Moskowitz wrote:
On 07/09/2014 02:36 PM, m.roth@5-cent.us wrote:
Mike McCarthy, W1NR wrote:
My COS6 server never required me to do that even though SELinux is enabled there (I didn't even know it was until today). Before I even posted the first help I tried the semanage command and found that it was not installed so I assumed wrongly that SELinux was not enabled.
<snip> Just remember, getenforce is the true answer.
mark, who really doesn't like selinux....*
- One of my annual goals: fix selinux permissions to SHUT IT UP, even
when most servers are in permissive mode.....
Doesn't permissive mode mean don't enforce but tell me what you would not have liked?
No, what *it* didn't like. And it can get *very* noisy.
Perhaps another mode is needed? Quite mode? And then maybe to temporarily change it to permissive when you make a change?
I'd like a "tell me once a day, PERIOD. I've had it overload its queue, it was spitting mad about something.
mark
On 07/09/2014 02:11 PM, Mike McCarthy, W1NR wrote:
My COS6 server never required me to do that even though SELinux is enabled there (I didn't even know it was until today). Before I even posted the first help I tried the semanage command and found that it was not installed so I assumed wrongly that SELinux was not enabled.
I just check the notes I made when setting up my DNS Centos 6 server from scratch. The date that I built this server looks like Sept '11. One of the first steps after the install was to move sshd to my perfered port number and my notes include the semanage command.
Looking back in the Fedora list archive, I am seeing help on this for F12 and that was Jan '10.
Mike
On 07/09/2014 01:34 PM, Markus Falb wrote:
On 09.Jul.2014, at 18:44, Liam O'Toole liam.p.otoole@gmail.com wrote:
On 2014-07-09, Mike McCarthy, W1NR sysop@w1nr.net wrote:
After installing the correct utilities and setting the port with semanage, it now works. Thanks to all for this one. Looks like I got some real work to do moving from 6 to 7 and understanding the massive management changes that were made.
If I understand the problem (and its solution) correctly, this is not a 6-to-7 migration issue. The same SELinux fix would be required in CentOS 6.
That was my thought too. Athough the error message presented to Mike is not very helpful and maybe worth a bugzilla.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 07/09/2014 09:50 AM, Mike McCarthy, W1NR wrote:
This was a "minimal" install for a virtual server and semanage is not available so the command doesn't work...
What package is semanage in?
# yum provides '*/semanage'
It's in policycoreutils-python.
On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
This was a "minimal" install for a virtual server and semanage is not available so the command doesn't work...
What package is semanage in?
Had to dig back in my notes:
policycoreutils-python
Mike
On 07/09/2014 10:45 AM, Jonathan Billings wrote:
On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote:
I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages
sshd.service: main process exited, code=exited, status=255/n/aNot a very helpful error message. Sounds like I should report a bug?
If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running:
semanage port -a -t ssh_port_t -p tcp $PORTNUM
(replace $PORTNUM with the new port number you chose)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlO9VsEACgkQW1M1BMdnYxmY1wCeNU+Jzf3bdoglIox15IxEuBF1 d/gAoMYocoFEh73K5l2VeBhhsg/vsUdu =5Sio -----END PGP SIGNATURE-----
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 09/07/14 16:45, Robert Moskowitz wrote:
On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote: This was a "minimal" install for a virtual server and semanage is not available so the command doesn't work...
What package is semanage in?
Had to dig back in my notes:
policycoreutils-python
Yum will tell you:
yum provides */semanage
On 09/07/14 15:35, Mike McCarthy, W1NR wrote:
sshd.service: main process exited, code=exited, status=255/n/a
Hi Mike
Can you run sshd manually in debugging mode and paste the output please: $ /usr/sbin/sshd -d
It's worth looking at the output of strace that may help here: $ strace /usr/sbin/sshd
-V
/usr/sbin/sshd -d seems to work properly and accept connections at the new port. So does typing /usr/sbin/sshd, which daemonizes and runs manually. It now appears that it will not start as a service if I change the port, even after a reboot.
Mike
On 07/09/2014 11:32 AM, Vipul Agarwal wrote:
On 09/07/14 15:35, Mike McCarthy, W1NR wrote:
sshd.service: main process exited, code=exited, status=255/n/aHi Mike
Can you run sshd manually in debugging mode and paste the output please: $ /usr/sbin/sshd -d
It's worth looking at the output of strace that may help here: $ strace /usr/sbin/sshd
-V
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote:
/usr/sbin/sshd -d seems to work properly and accept connections at the new port. So does typing /usr/sbin/sshd, which daemonizes and runs manually. It now appears that it will not start as a service if I change the port, even after a reboot.
What does 'journalctl -u sshd.service' say?
-
Ian Pilcher -
Jonathan Billings -
Liam O'Toole -
m.roth@5-cent.us -
Markus Falb -
Mike McCarthy, W1NR -
Ned Slider -
Robert Moskowitz -
Vipul Agarwal -
Wes James