[redhat-lspp] passwd issues through ssh

Klaus Heinrich Kiwi klausk at br.ibm.com
Thu Jan 4 12:55:39 UTC 2007 

When I try to use 'passwd' through ssh (non-interactive, shell-less
session), the command appears to hang until a Ctrl+C is pressed:

ssh user at localhost 'passwd'
Password: <login password correctly inserted>
Killed by signal 2. <after Ctrl+C>
[root at rhel5lspp ~]# echo $?                                                                                                 
255

The strange thing: if I try the same thing from an different box (not
RHEL5-based, actually an debian machine) I get the following (note: the
passwords ARE ACTUALLY ECHOED as shown):

-----------cut-here--------------
klausk at klausk:~$ ssh ealuser at zaphod passwd
Password: 
(current) UNIX password: 1234!@#$qwer
Enter new password: 1234!@#$qwer
Weak password: is the same as the old one.
Enter new password: 1234!@#$qwer
Weak password: is the same as the old one.
Enter new password: 1234!@#$qwer
Weak password: is the same as the old one.
passwd: Authentication token manipulation error
Changing password for user ealuser.
Changing password for ealuser

You can now choose the new password or passphrase.

A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use a 12 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes.  An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.

A passphrase should be of at least 3 words, 16 to 40 characters
long and contain enough different characters.

Alternatively, if noone else can see your terminal now, you can
pick this as your password: "reject!beer&tomb".

Try again.

You can now choose the new password or passphrase.

A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use a 12 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes.  An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.

A passphrase should be of at least 3 words, 16 to 40 characters
long and contain enough different characters.

Alternatively, if noone else can see your terminal now, you can
pick this as your password: "reject;coil:foam".

Try again.

You can now choose the new password or passphrase.

A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use a 12 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes.  An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.

A passphrase should be of at least 3 words, 16 to 40 characters
long and contain enough different characters.

Alternatively, if noone else can see your terminal now, you can
pick this as your password: "aerial;mend;rise".

klausk at klausk:~$ echo $?
1
klausk at klausk:~$ 
---------------------cut-here---------------------------

===========AVCs (prior case)========================
type=USER_AUTH msg=audit(1168099882.949:1175): user pid=3950 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: authentication acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com, addr=127.0.0.1, terminal=ssh res=success)'
type=USER_ACCT msg=audit(1168099883.029:1176): user pid=3950 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: accounting acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com, addr=127.0.0.1, terminal=ssh res=success)'
type=CRED_ACQ msg=audit(1168099883.089:1177): user pid=3948 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com, addr=127.0.0.1, terminal=ssh res=success)'
type=LOGIN msg=audit(1168099883.105:1178): login pid=3948 uid=0 old auid=4294967295 new auid=500
type=AVC msg=audit(1168099883.173:1179): avc:  granted  { setexec } for  pid=3948 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.173:1179): arch=40000003 syscall=4 success=yes exit=40 a0=5 a1=9791e98 a2=28 a3=794771 items=0 ppid=1281 pid=3948 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168099883.313:1180): avc:  granted  { setexec } for  pid=3953 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.313:1180): arch=40000003 syscall=4 success=yes exit=0 a0=5 a1=0 a2=0 a3=794771 items=0 ppid=3948 pid=3953 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168099883.421:1181): avc:  granted  { setexec } for  pid=3954 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.421:1181): arch=40000003 syscall=4 success=yes exit=0 a0=5 a1=0 a2=0 a3=794771 items=0 ppid=3948 pid=3954 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168099883.533:1182): avc:  granted  { setexec } for  pid=3955 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.533:1182): arch=40000003 syscall=4 success=yes exit=0 a0=5 a1=0 a2=0 a3=794771 items=0 ppid=3948 pid=3955 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=USER_START msg=audit(1168099883.597:1183): user pid=3948 uid=0 auid=500 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: session open acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com, addr=127.0.0.1, terminal=ssh res=success)'
type=CRED_REFR msg=audit(1168099883.625:1184): user pid=3956 uid=0 auid=500 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred acct=ealuser : exe="/usr/sbin/sshd" (hostname=rhel5lspp.example.com, addr=127.0.0.1, terminal=ssh res=success)'
type=AVC msg=audit(1168099883.693:1185): avc:  granted  { setexec } for  pid=3956 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.693:1185): arch=40000003 syscall=4 success=yes exit=40 a0=6 a1=9791e10 a2=28 a3=794771 items=0 ppid=3948 pid=3956 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168099883.833:1186): avc:  granted  { setexec } for  pid=3957 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099883.833:1186): arch=40000003 syscall=4 success=yes exit=40 a0=4 a1=978bc70 a2=28 a3=794771 items=0 ppid=3956 pid=3957 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168099883.873:1187): avc:  denied  { read write } for  pid=3957 comm="passwd" name="[21731]" dev=sockfs ino=21731 scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1168099883.873:1187): avc:  denied  { read write } for  pid=3957 comm="passwd" name="[21731]" dev=sockfs ino=21731 scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1168099883.873:1187): avc:  denied  { read write } for  pid=3957 comm="passwd" name="[21733]" dev=sockfs ino=21733 scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1168099883.873:1187): arch=40000003 syscall=11 success=yes exit=0 a0=99ab220 a1=99ab4b0 a2=99ab3d0 a3=99ab0e8 items=0 ppid=3956 pid=3957 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="passwd" exe="/usr/bin/passwd" subj=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1168099883.873:1187):  path="socket:[21733]"
type=AVC_PATH msg=audit(1168099883.873:1187):  path="socket:[21731]"
type=AVC_PATH msg=audit(1168099883.873:1187):  path="socket:[21731]"
type=USER_CHAUTHTOK msg=audit(1168099891.409:1188): user pid=3957 uid=500 auid=500 subj=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 msg='PAM: chauthtok acct=ealuser : exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=? res=failed)'
type=USER_CHAUTHTOK msg=audit(1168099891.413:1189): user pid=3957 uid=500 auid=500 subj=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 msg='op=change password id=500 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=? res=failed)'
type=AVC msg=audit(1168099891.429:1190): avc:  denied  { sigchld } for  pid=3956 comm="sshd" scontext=staff_u:staff_r:passwd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168099891.429:1190): arch=40000003 syscall=7
success=no exit=-10 a0=ffffffff a1=bfdbaab8 a2=1 a3=bfdbaab8 items=0
ppid=3948 pid=3956 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
================================================================


audit2allow tells me that:
[root at rhel5lspp databases]# tail -100 /var/log/audit/audit.log | audit2allow 
allow passwd_t sshd_t:process sigchld;
allow passwd_t sshd_t:unix_stream_socket { read write };


Bug? 'Feature'?

-- 
 Klaus K

More information about the redhat-lspp mailing list