[rsbac] sshd problems

Sven Seeland sven.seeland at gmx.de
Tue Apr 3 19:07:32 CEST 2007

Hello everybody.

For some time now I'm trying to get sshd to work with rsbac. It works fine in
softmode so sshd itself is not the problem.

I have configured /etc/sbin/sshd in the following way:
RC Force Role: mixed inherit proc/user
RC Initial Role: 0 (General User)
AUTH May Setuid: 3 (Last authenticated user and all groups)
As well as auth capabilities to change to user 22 and group 22 (which is the
native user and group for ssh)

When I try to log in with softmode enabled, sshd first tries to assume user and
group 22, which it is granted since I allowed it. It then tries to CHANGE_OWNER,
CHANGE_DAC_EFF_OWNER and CHANGE_DAC_FS_OWNER to 0 (root) once and then tries to
CHANGE_DAC_EFF_OWNER and CHANGE_DAC_FS_OWNER to 400 (secoff) twice. None of this
is granted but since we're in softmode, the program is not bothered by it. After
that, the user can enter his password and username and is logged in.

If I disable softmode, sshd fails after RSBAC disallows the chown to root. The
user doesn't get to enter username or password and is instead confronted with
the message "Connection closed by" as the only output.

Strange thing. If I allow setuid to any user, I can enter my username and
password but sshd can't authenticate them (I'm using UM) because for some
strange reason it's still rc_role 0 (General User) even though it's uid 0 (root)
which has rc_def_role 2 (System Admin), which is in turn allowed to authenticate
any user. Therefore all I get is "pam_rsbac.so: User not authenticated" and
another try to enter my password.

Anyways, I hope that this is a rather complete description of the problem. This
is starting to drive me mad. I love the concept behind RSBAC but I have to say
that it is really a pain to set up.


More information about the rsbac mailing list