[rsbac] sshd problems

MrSandman666 at gmx.de MrSandman666 at gmx.de
Tue Apr 3 19:05:46 CEST 2007

Hello everybody.

For some time now I'm trying to get sshd to work with rsbac. It works fine in 
softmode so sshd itself is not the problem.

I have configured /etc/sbin/sshd in the following way:
RC Force Role: mixed inherit proc/user
RC Initial Role: 0 (General User)
AUTH May Setuid: 3 (Last authenticated user and all groups)
As well as auth capabilities to change to user 22 and group 22 (which is the 
native user and group for ssh)

When I try to log in with softmode enabled, sshd first tries to assume user and 
group 22, which it is granted since I allowed it. It then tries to CHANGE_OWNER, 
CHANGE_DAC_EFF_OWNER and CHANGE_DAC_FS_OWNER to 0 (root) once and then tries to 
CHANGE_DAC_EFF_OWNER and CHANGE_DAC_FS_OWNER to 400 (secoff) twice. None of this 
is granted but since we're in softmode, the program is not bothered by it. After 
that, the user can enter his password and username and is logged in.

If I disable softmode, sshd fails after RSBAC disallows the chown to root. The 
user doesn't get to enter username or password and is instead confronted with 
the message "Connection closed by" as the only output.

Strange thing. If I allow setuid to any user, I can enter my username and 
password but sshd can't authenticate them (I'm using UM) because for some 
strange reason it's still rc_role 0 (General User) even though it's uid 0 (root) 
which has rc_def_role 2 (System Admin), which is in turn allowed to authenticate 
any user. Therefore all I get is "pam_rsbac.so: User not authenticated" and 
another try to enter my password.

Anyways, I hope that this is a rather complete description of the problem. This 
is starting to drive me mad. I love the concept behind RSBAC but I have to say 
that it is really a pain to set up.


More information about the rsbac mailing list