PAM-Agent_v7.1 RSA Secure ID

Support for security such as Firewalls and securing linux
Post Reply
rhodesmi
Posts: 1
Joined: 2013/05/10 06:47:09

PAM-Agent_v7.1 RSA Secure ID

Post by rhodesmi » 2013/05/10 06:59:49

Hello

I was having issues installing the secure-id PAM 7.1 agent on Cent OS and as Cent OS was not supported by RSA they refused to help so we had to work it out for ourselves

We installed the PAM agent okay and the acetest worked fine but we could not login via SSH

This was the error in var/log/messages

May 9 10:57:43 kangaroo sshd[3443]: ACEAGENT: The message entry does not exist for Message ID: 1001

After some searching we found this in /var/log/audit/audit.log

type=AVC msg=audit(1366894784.232:153): avc: denied { getattr } for pid=1749 comm="sshd" path="/var/ace/sdconf.rec" dev=dm-0 ino=524299 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

After reading up on SeLinux we discovered that we needed to do this

# setenforce 0
# chcon -Rv --type=sshd_t /var/ace/
# setenforce 1

also my /etc/ssh/sshd_config looks like this

Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
UsePrivilegeSeparation no

Subsystem sftp /usr/libexec/openssh/sftp-server

Hopefully this will help someone someday!

Thanks

User avatar
TrevorH
Forum Moderator
Posts: 28865
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

PAM-Agent_v7.1 RSA Secure ID

Post by TrevorH » 2013/05/10 09:14:07

Yes, your "fix" works but it will only work until it breaks! Running chcon is not permanent. If the file system is relabeled at any point - which sometimes happens when a new selinux policy is installed by a `yum update` then the selinux context will be reset. You need to use the `semanage fcontext` command to add a rule on how to correctly label the files and directories you're interested in.

Vendors tend to provide more support if you accidentally tell them you are running RHEL 6...

sasi85ram
Posts: 1
Joined: 2014/03/10 06:56:26

Re: PAM-Agent_v7.1 RSA Secure ID

Post by sasi85ram » 2014/03/10 07:02:33

Hi,
I have same issue with RHEl 6.5...this solution works... changing var_t to sshd_t , but like to know what caused the issue, we have tried restorcon but the context haven't changed its var_t for sdconf.rec.

selinux policy version - selinux-policy-3.7.19-231.el6.noarch.
could anyone answer my question.

User avatar
TrevorH
Forum Moderator
Posts: 28865
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PAM-Agent_v7.1 RSA Secure ID

Post by TrevorH » 2014/03/10 09:04:12

The problem is that the location of the file is not known as being one where ssh keys reside so restorecon looks it up and sees it's in /var and assigns what it thinks is the correct context to the file. You would need to run something like

Code: Select all

semanage fcontext -a -t sshd_t '/var/ace(/.*)?'
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 6 - Security Support”