SELinux AVC Denying "{ dyntransition }" for sshd - linux

I've tried looking around for the solution with no luck.
I have SELinux set to permissive right now on Centos 8, but if I set it to enforcing it completely disables my ability to ssh into the server. This is the journal entry:
setroubleshoot[2015]: setroubleshoot generated AVC, exiting to avoid recursion, context=system_u:system_r:kernel_t:s0, AVC scontext=system_u:system_r:kernel_t:s0
setroubleshoot[2015]: audit event
node=<REMOVED> type=AVC msg=audit(1633374382.599:119): avc: denied { dyntransition } for pid=2003 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
node=<REMOVED> type=SYSCALL msg=audit(1633374382.599:119): arch=c000003e syscall=1 success=yes exit=42 a0=c a1=5655238d6540 a2=2a a3=0 items=0 ppid=1985 pid=2003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
/etc/sbin/sshd has the following permissions
-rwxr-xr-x. 1 root root system_u:object_r:sshd_exec_t:s0 877760 May 27 10:54 sshd
This is my sshd config
Port <REMOVED FOR PRIVACY>
AddressFamily inet
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server

Answering because I lack the rep to comment, le sigh.
The log messages you quote suggest that there is at least one missing SELinux rule on your system: When you try to login via ssh, a transition (dyntransition) from one SELinux type (kernel_t) to another (unconfined_t) is being denied.
There are a couple of commands you can run to investigate:
ausearch -m AVC -m USER_AVC | audit2allow
will look for denial messages and pipe them through a command that will suggest what rules are missing on your system.
sesearch -c process -p dyntransition -A
will tell you what dyntransition rules are already present on your system. You will need to run both of those as root and may need to disable SELinux first (setenforce 0).
What puzzles me is that I find it odd that these permissions would be missing on a stock CentOS box - that suggests either an upstream regression or SELinux policy changes made post-install. Have you or anyone else changed SELinux policy on that box?

Related

Proper sudoers user / session setup for xrdp and systemd-modules-load / auditd fails in a WSL2 openSUSE-Leap-15.2 environment

I've managed it to successfully run xrdp in an openSUSE-Leap-15.2 WSL 2 Linux subsystem on my Windows 10 64 PC.
My Linux knowledge is not that great.
I use KDE (startplasma-x11) as desktop for xrdp.
On my first setup I had no systemd and only a dbus-daemon. As you know systemd and dbus are disabled / broken on WSL. Without systemd I had no issues with kdesu for e.g. yast2 in the KDE xrdp session. On the other hand, I couldn't use packages which require systemd to work properly.
My xrdp user is "marvin" as a default user group.
How ever I need openSUSE because I have an app which only run in suse well - not in Ubuntu.
So I started over again with this guide: Auto-start/services (systemd and snap support)
To get it working on leap 15.2 I did the following:
Downloaded & reinstalled dbus-1: dbus-1-1.12.2-lp152.5.27.x86_64.rpm
Yast install policykit-1
Grabbed daemonize-1.7.8-1-omv4000.x86_64.rpm and extracted bin daemonize to "/usr/sbin/"
Then I modified /usr/bin/bash and added also xrdp to autostart at the same time outside systemd:
#!/bin/bash
printf "\n"
echo "Starting init bash..."
# your WSL2 username
UNAME="marvin"
# fake run for dbus, just in case
if ! [ -d "/run/dbus" ]
then
mkdir /run/dbus
chmod 777 /run/dbus
fi
UUID=$(id -u "${UNAME}")
UGID=$(id -g "${UNAME}")
UHOME=$(getent passwd "${UNAME}" | cut -d: -f6)
USHELL=$(getent passwd "${UNAME}" | cut -d: -f7)
if [[ -p /dev/stdin || "${BASH_ARGC}" > 0 && "${BASH_ARGV[1]}" != "-c" ]]; then
USHELL=/bin/bash
fi
if [[ "${PWD}" = "/root" ]]; then
cd "${UHOME}"
fi
# get pid of systemd
SYSTEMD_PID=$(pgrep -xo systemd)
# if we're already in the systemd environment
if [[ "${SYSTEMD_PID}" -eq "1" ]]; then
exec "${USHELL}" "$#"
fi
# start systemd if not started
# wait for systemd to start
# add echo feedback and timeout to avoid infinite loop
sto=50 # 5 secs
if [[ "${SYSTEMD_PID}" = "" ]]; then
echo -e "Starting systemd PID ${SYSTEMD_PID} max timeout: $((sto/10))s"
/usr/sbin/daemonize -l "${HOME}/.systemd.lock" /usr/bin/unshare -fp --mount-proc /usr/lib/systemd/systemd --system-unit=basic.target
fi
while [[ "${SYSTEMD_PID}" = "" && $sto -gt 0 ]]; do
sleep 0.1
((sto--))
SYSTEMD_PID=$(pgrep -xo systemd)
done
if [ "$sto" -eq "0" ]; then
echo "Timeout while waiting for systemd PID. Exiting bash now...";
exit 1;
fi
printf "\n"
echo -e "Checking xrdp status..."
printf "\n"
if ! ps -C xrdp-sesman
then
sto=20
echo -e "Starting xrdp session manager... max timeout: $((sto/10))s"
[ -f /var/run/xrdp-sesman.pid ] && rm /var/run/xrdp-sesman.pid
xrdp-sesman
while ! ps -C xrdp-sesman > /dev/null && [ $sto -gt 0 ]; do
sleep 0.1
((sto--))
done
if [ "$sto" -eq "0" ]; then
echo "Timeout while waiting for xrdp-sesman PID.";
fi
fi
printf "\n"
if ! ps -C xrdp
then
sto=20
echo -e "Starting xrdp... max timeout: $((sto/10))s"
[ -f /var/run/xrdp.pid ] && rm /var/run/xrdp.pid
yes "" | openssl req -x509 -newkey rsa:2048 -nodes -keyout /etc/xrdp/key.pem -out /etc/xrdp/cert.pem -days 365 > /dev/null 2>&1
xrdp -f
while ! ps -C xrdp > /dev/null && [ $sto -gt 0 ]; do
sleep 0.1
((sto--))
done
if [ "$sto" -eq "0" ]; then
echo "Timeout while waiting for xrdp PID.";
fi
fi
printf "\n"
echo "Init bash done."
printf "\n"
# enter systemd namespace
exec /usr/bin/nsenter -t "${SYSTEMD_PID}" -m -p --wd="${PWD}" /usr/sbin/runuser -s "${USHELL}" "${UNAME}" -- "${#}"
After that I:
Installed some packages via yast like xorg, KDE patterns, yast2 patterns, and so on.
Successfully connected via rdp localhost:3390 Xorg session to KDE desktop from Windows with user "marvin".
So what's not working is yast2 kde su:
Where password is no typo for sure ;)
Permission denied
I've got no wheel user group so far. I don't know if I had one last time but I don't think so.
How ever, I followed this guide to create a wheel user:
id marvin
uid=1000(marvin) gid=100(users) groups=1000(wheel),100(users)
My /etc/sudoers
# Host_Alias WEBSERVERS = www1, www2, www3
# User_Alias ADMINS = millert, dowdy, mikef
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
Defaults always_set_home
## Path that will be used for every command run from sudo
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
Defaults env_reset
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
## Do not insult users when they enter an incorrect password.
Defaults !insults
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Defaults mail_badpass
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
Defaults targetpw # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
##
## Runas alias specification
##
##
## User privilege specification
##
root ALL=(ALL) ALL
## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
And my /etc/sudoers.d/wheel-users
# allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
Well I'm out of my Linux knowledge at this point. I don't want to comment out things when I don't know if I break security rules if I do so. And also I don't know if the problem is caused by this. How ever adding wheel group didn't solve to problem. Maybe I missed something or did something wrong.?
I also noticed that some systemd services are not running and may affect this problem:
service -s
Output:
accounts-daemon.service loaded active running Accounts Service
auditd.service loaded failed failed Security Auditing Service
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
colord.service loaded active running Manage, Install and Generate Color Profiles
cron.service loaded active running Command Scheduler
cups.service loaded active running CUPS Scheduler
dbus.service loaded active running D-Bus System Message Bus
detect-part-label-duplicates.service loaded active exited Detect if the system suffers from bsc#1089761
display-manager.service loaded failed failed X Display Manager
dracut-shutdown.service loaded active exited Restore /run/initramfs on shutdown
getty#tty1.service loaded active running Getty on tty1
irqbalance.service loaded active running irqbalance daemon
iscsi.service loaded active exited Login and scanning of iSCSI devices
kbdsettings.service loaded active exited Apply settings from /etc/sysconfig/keyboard
klog.service loaded active exited Early Kernel Boot Messages
lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling
ModemManager.service loaded active running Modem Manager
nscd.service loaded active running Name Service Cache Daemon
polkit.service loaded active running Authorization Manager
postfix.service loaded active running Postfix Mail Transport Agent
rsyslog.service loaded active running System Logging Service
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-modules-load.service loaded failed failed Load Kernel Modules
systemd-random-seed.service loaded active exited Load/Save Random Seed
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysctl.service loaded active exited Apply Kernel Variables
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Directories
systemd-udev-settle.service loaded active exited udev Wait for Complete Device Initialization
systemd-udev-trigger.service loaded active exited udev Coldplug all Devices
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
udisks2.service loaded active running Disk Manager
upower.service loaded active running Daemon for power management
user-runtime-dir#0.service loaded active exited User Runtime Directory /run/user/0
user#0.service loaded active running User Manager for UID 0
wicked.service loaded active exited wicked managed network interfaces
wickedd-auto4.service loaded active running wicked AutoIPv4 supplicant service
wickedd-dhcp4.service loaded active running wicked DHCPv4 supplicant service
wickedd-dhcp6.service loaded active running wicked DHCPv6 supplicant service
wickedd-nanny.service loaded active running wicked network nanny service
wickedd.service loaded active running wicked network management service daemon
Where console outputs this relevant information:
auditctl -e1
Error - audit support not in kernel
Cannot open netlink audit socket
hostnamectl | grep Kernel
Kernel: Linux 4.19.128-microsoft-standard
systemctl -l status systemd-modules-load.service
● systemd-modules-load.service - Load Kernel Modules
Loaded: loaded (/usr/lib/systemd/system/systemd-modules-load.service; static; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2020-11-26 13:57:11 CET; 12min ago
Docs: man:systemd-modules-load.service(8)
man:modules-load.d(5)
Process: 25 ExecStart=/usr/lib/systemd/systemd-modules-load (code=exited, status=1/FAILURE)
Main PID: 25 (code=exited, status=1/FAILURE)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
Further /var/log:
audit.log is empty
xrdp-sesman.log running well somehow
[CORE ] waiting for window manager (pid 1304) to exit
[ERROR] bind_loopback(4, 3350) failed; IPv6 ::1 (errno=98), IPv4 127.0.0.1 (errno=22) and IPv6 ::FFFF:127.0.0.1 (errno=98).
[ERROR] Failed to start xrdp-sesman daemon, possibly address already in use.
[CORE ] window manager (pid 1304) did exit, cleaning up session
Warn looks crazy; I hope I can solve some of this errors sooner or later. I feel bad about this log since I never hacked all that in a way. ;/
systemd-modules-load[27]: Failed to lookup alias 'scsi_dh_alua': Function not implemented
systemd-modules-load[27]: Failed to lookup alias 'scsi_dh_emc': Function not implemented
systemd-modules-load[27]: Failed to lookup alias 'scsi_dh_rdac': Function not implemented
systemd-modules-load[27]: Failed to lookup alias 'dm-multipath': Function not implemented
systemd-modules-load[27]: Failed to lookup alias 'sg': Function not implemented
systemd-sysctl[52]: Failed to open file '/boot/sysctl.conf-4.19.128-microsoft-standard', ignoring: No such file or directory
systemd-udevd[83]: Could not generate persistent MAC address for dummy0: No such file or directory
systemd-udevd[68]: Could not generate persistent MAC address for bond0: No such file or directory
systemd[1]: Failed to start Security Auditing Service.
systemd[1]: auditd.service: Failed with result 'exit-code'.
kernel: [ 0.155516] MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.
kernel: [ 0.155516] TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.
kernel: [ 0.264873] PCI: Fatal: No config space access function found
kernel: [ 0.277895] PCI: System does not support PCI
kernel: [ 0.155516] #2 #3 #4 #5 #6 #7 #8 #9 #10 #11
kernel: [ 0.291373] kvm: no hardware support
kernel: [ 0.291374] kvm: no hardware support
kernel: [ 0.312696] hv_utils: cannot register PTP clock: 0
kernel: [ 0.312707] dxgk:err: dxg_drv_init Version: 1
kernel: [ 0.322371] Unstable clock detected, switching default tracing clock to "global"
kernel: [ 0.322371] If you want to keep using the local clock, then add:
kernel: [ 0.322371] "trace_clock=local"
kernel: [ 0.322371] on the kernel command line
kernel: [ 0.906590] FS-Cache: Duplicate cookie detected
kernel: [ 0.906592] FS-Cache: O-cookie c=00000000daf1a0fc [p=0000000032b95ae1 fl=222 nc=0 na=1]
kernel: [ 0.906592] FS-Cache: O-cookie d=00000000d9a94301 n=000000002cec00fb
kernel: [ 0.906593] FS-Cache: O-key=[10] '34323934393337333731'
kernel: [ 0.906594] FS-Cache: N-cookie c=0000000013092984 [p=0000000032b95ae1 fl=2 nc=0 na=1]
kernel: [ 0.906595] FS-Cache: N-cookie d=00000000d9a94301 n=00000000b63ed825
kernel: [ 0.906595] FS-Cache: N-key=[10] '34323934393337333731'
kernel: [ 0.908315] FS-Cache: Duplicate cookie detected
kernel: [ 0.908317] FS-Cache: O-cookie c=00000000daf1a0fc [p=0000000032b95ae1 fl=222 nc=0 na=1]
kernel: [ 0.908317] FS-Cache: O-cookie d=00000000d9a94301 n=000000002cec00fb
kernel: [ 0.908317] FS-Cache: O-key=[10] '34323934393337333731'
kernel: [ 0.908319] FS-Cache: N-cookie c=000000004100e019 [p=0000000032b95ae1 fl=2 nc=0 na=1]
kernel: [ 0.908319] FS-Cache: N-cookie d=00000000d9a94301 n=00000000074b6ae8
kernel: [ 0.908320] FS-Cache: N-key=[10] '34323934393337333731'
kernel: [ 0.910004] FS-Cache: Duplicate cookie detected
kernel: [ 0.910006] FS-Cache: O-cookie c=00000000daf1a0fc [p=0000000032b95ae1 fl=222 nc=0 na=1]
kernel: [ 0.910006] FS-Cache: O-cookie d=00000000d9a94301 n=000000002cec00fb
kernel: [ 0.910007] FS-Cache: O-key=[10] '34323934393337333731'
kernel: [ 0.910008] FS-Cache: N-cookie c=000000006fbd91eb [p=0000000032b95ae1 fl=2 nc=0 na=1]
kernel: [ 0.910009] FS-Cache: N-cookie d=00000000d9a94301 n=00000000ced73ef6
kernel: [ 0.910009] FS-Cache: N-key=[10] '34323934393337333731'
avahi-daemon[222]: Host name conflict, retrying with XXXX-XXXX-2
accounts-daemon[613]: g_dbus_interface_skeleton_get_object_path: assertion 'G_IS_DBUS_INTERFACE_SKELETON (interface_)' failed
startproc: startproc: exit status of parent of /usr/sbin/lightdm: 1
systemd[1]: Failed to start X Display Manager.
systemd[1]: display-manager.service: Failed with result 'exit-code'.
xrdp-sesman: pam_systemd(xrdp-sesman:session): Failed to connect to system bus: No such file or directory
kdeinit5[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
klauncher[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
klauncher[0]: message repeated 3 times: [ QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin']
klauncher[0]: Connecting to deprecated signal QDBusConnectionInterface::serviceOwnerChanged(QString,QString,QString)
klauncher[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kded5[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kded5[0]: message repeated 3 times: [ QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin']
kaccess[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kded5[0]: QObject::connect: No such signal QDBusAbstractInterface::StateChanged(uint)
kglobalaccel5[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kglobalaccel5[0]: message repeated 3 times: [ QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin']
ksmserver[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
ksmserver[0]: message repeated 2 times: [ QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin']
ksmserver[0]: Qt: Session management error: networkIdsList argument is NULL
ksmserver[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kded5[0]: org.kde.bluez: Cannot open /dev/rfkill for reading!
baloo_file[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
xembedsniproxy[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
polkit-kde-authentication-agent-1[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
udisksd[692]: Can't load configuration file /etc/udisks2/udisks2.conf
kded5[0]: print-manager.kded: unable to register service to dbus
udisksd[692]: Error statting /swap/file: No such file or directory
plasmashell[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
polkit-kde-authentication-agent-1[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
plasmashell[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kwin_x11[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
polkit-kde-authentication-agent-1[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kded5[0]: org.kde.wacomtablet.common: d->name.isEmpty? true
plasmashell[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kwin_x11[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kded5[0]: kf5.kded: found kded module "colord" by prepending 'kded_' to the library path, please fix your metadata.
polkit-kde-authentication-agent-1[0]: "Cannot create unix session: No session for pid 925"
polkit-kde-authentication-agent-1[0]: "Cannot register authentication agent!"
polkit-kde-authentication-agent-1[0]: Couldn't register listener!
gmenudbusmenuproxy[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kded5[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kded5[0]: message repeated 2 times: [ QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin']
kdeconnectd[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kactivitymanagerd[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kactivitymanagerd[0]: message repeated 2 times: [ QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin']
kwin_x11[0]: kf5.kconfig.core: "\"fsrestore1\" - conversion of \"0,0,0,0\" to QRect failed"
drkonqi[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kdeconnectd[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kded5[0]: "/home/marvin/.local/share/icc/.." is not an ICC profile
kded5[0]: "/home/marvin/.local/share/icc/." is not an ICC profile
kdeconnectd[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
drkonqi[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kded5[0]: Unable to get EDID for output "rdp0"
kded5[0]: Failed to register device: "failed to obtain org.freedesktop.color-manager.create-device auth"
kded5[0]: Failed to create ICC profile on cmsCreateRGBProfile
kscreen_backend_launcher[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
kded5[0]: "/home/marvin/.local/share/icc/.." is not an ICC profile
kded5[0]: "/home/marvin/.local/share/icc/." is not an ICC profile
kded5[0]: Unable to get EDID for output "rdp0"
vncmanager-controller[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
org_kde_powerdevil[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
baloo_file[0]: QDBusConnection: name 'org.freedesktop.UDisks2' had owner '' but we thought it was ':1.21'
drkonqi[0]: org.kde.drkonqi: Invalid pid specified
vncmanager-controller[0]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-marvin'
org_kde_powerdevil[0]: powerdevil: No outputs have backlight property
org_kde_powerdevil[0]: powerdevil: Xrandr not supported, trying ddc, helper
backlighthelper[719]: powerdevil: no kernel backlight interface found
kded5[0]: Failed to register device: "failed to obtain org.freedesktop.color-manager.create-device auth"
....................................................................
kded5[0]: message repeated 2 times: [ QDBusAbstractAdaptor: Cannot relay signal KDEDModule::moduleDeleted(KDEDModule*): Pointers are not supported: KDEDModule*]
kdeconnectd[0]: The X11 connection broke (error 1). Did the X11 server die?
kscreen_backend_launcher[0]: The X11 connection broke (error 1). Did the X11 server die?
kglobalaccel5[0]: The X11 connection broke (error 1). Did the X11 server die?
kactivitymanagerd[0]: The X11 connection broke (error 1). Did the X11 server die?
kded5[0]: The X11 connection broke: I/O error (code 1)
I got also a lightdm.log indicating that my Linux starts a session without a reason.
It looks like I have messed up session system
Well if I would restart from beginning that same would happen again. So I want to go through it step by step.
Goals:
Get kdesu working with my user marvin would be nice for GUI and tracking other issus
Proper session / user setup for xrdp
So if you need additional infos I'll update the question. Even if I got better results.
The wsl2 needs to have absolute knowledge of linux. Otherwise you, I, have no chance to be successful.
So I stop this question because of: I have to learn more.

systemd service: Failed to execute command: Permission denied

I am trying to run an SSH command in a systemd service. Although I the user I set to run the command fedora has permission to everything the command requires (verified by both running the command manually in a logged-in shell without failure and permission checks on the files), it still gives the error of permission denied.
[Unit]
Description=AutoSSH tunnel
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/ssh -f -TN -L 3333:localhost:3333 -o "ExitOnForwardFailure yes" -o "ServerAliveInterval 60" -i /home/fedora/.ssh/id_rsa ubuntu#server
ExecStop=/usr/bin/pkill -f 3333:localhost:3333
Restart=always
RestartSec=10
User=fedora
Group=fedora
[Install]
WantedBy=multi-user.target
error message:
Oct 16 11:10:47 Lenovoserver systemd[2318595]: autossh-tunnel.service: Failed to execute command: Permission denied
Oct 16 11:10:47 Lenovoserver systemd[2318595]: autossh-tunnel.service: Failed at step EXEC spawning /usr/bin/ssh: Permission denied
Permission checks:
-rwxr-xr-x. 1 root root 808832 Oct 9 2019 /usr/bin/ssh
fedora user has permission to execute /usr/bin/ssh
-rw-------. 1 fedora fedora 2610 Jan 3 2020 /home/fedora/.ssh/id_rsa
fedora user has read access to its private key.
Did I do anything wrong or is this a systemd bug?
It could be SELinux, the new ssh port has to be registered in selinux.
Firs check if the service work by disabling selinux temporarily, if it works add ssh port to selinux as follow.
# Check selinux status
sestatus
# Disable selinux temporarily
setenforce 0
# Check selinux ssh port
semanage port -l | grep ssh
ssh_port_t tcp 22
# Add selinux ssh port
sudo semanage port -a -t ssh_port_t -p tcp 3333
# Check selinux ssh port
semanage port -l | grep ssh
ssh_port_t tcp 22, 3333

bastion server with MFA

I have a bastion server with enabled MFA using google-authenticator service. But I cannot use proxycommand through my bastion:
> ssh -vvv -i ~/.ssh/file.pem user#ip -o "proxycommand ssh -q -W %h:%p user#bastion"
OpenSSH_7.9p1 Ubuntu-10, OpenSSL 1.1.1b 26 Feb 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname ip is address
debug1: Executing proxy command: exec ssh -q -W ip:22 user#bastion
debug1: identity file /home/user/.ssh/file.pem type -1
debug1: identity file /home/user/.ssh/file.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Ubuntu-10
Password:
Verification code:
connection exited by timeout
Is it possible to use proxycommand with MFA?
/etc/pam.d/common-session:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_systemd.so
auth required pam_google_authenticator.so nullok
/etc/ssh/sshd_config :
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
The issue was with firewall rules, proxycommand works with MFA!

SFTP - overriden permissions (filemask, owner/group)

I am running an OpenSSH sftp-server (Linux, Raspbian) and FileZilla is used as client. The problems I experienced were that the user could delete any file on the server with no regard to the filemask or the owner/group:
User that logs in:
cat /etc/passwd | grep sftp
sftp-guest:x:1001:1004:::/sbin/nologin
Group:
cat /etc/group | grep sftp-only
sftp-only:x:1004:
This is my /etc/ssh/sshd_config - file (shadowed Port):
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port ***33
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#X11Forwarding yes
#X11DisplayOffset 10
#PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
Banner /sftp/welcome_message
# Allow client to pass locale environment variables
#AcceptEnv LANG LC_*
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes
Subsystem sftp internal-sftp
Match group *,!sftp-only,!pi
ForceCommand internal-sftp
ChrootDirectory /sftp/empty
Match group sftp-only
ChrootDirectory /sftp/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
As you can see in the sshd_config the user sftp-guest is chrooted into /sftp/sftp-guest.
Here you can see the permissions of the files/folders:
ll /sftp | grep sftp-guest
drwxr-xr-x 3 root root 4096 Dec 20 02:26 sftp-guest
ll /sftp/sftp-guest/
drwxrwxr-x 9 sftp-guest pi 4096 Apr 18 22:18 maturaprojekt
ll /sftp/sftp-guest/data/
---------- 1 sftp-guest sftp-only 205 Apr 18 22:06 readme
---------- 1 root root 205 Apr 18 22:18 readme2
The problem is that both files (readme, readme2) can be deleted with Filezilla or via sftp (commandline). Futher renaming or changing the permissions is possible.
EDIT -->
When trying to view or download these files the transfer fails!
Filezilla-Log:
Command: get "readme" "/tmp/fz3temp-1/readme"
Error: /data/readme: open for read: permission denied
Error: File transfer failed
Command: get "readme" "/home/michael/data/readme"
Error: /data/readme: open for read: permission denied
Error: File transfer failed
<-- EDIT
My question is now how this behavior could be prevented?
The right to delete a file is on the parent folder : if the folder is writable, you can delete a file inside. Try a chmod -w /sftp/sftp-guest/data/ to prevent sftp-guest from deleting the readme files (you can also make them readable to fix your last edit).

ssh: connection refused on port 22

I have installed Openssh-sever. Started the ssh-server using the following command :
:~$ sudo service ssh start
ssh start/running, process 20013
With the following command I can see port 22 is open :
:~$ sudo nmap localhost -p 1-65535
Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-22 23:46 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000013s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
631/tcp open ipp
Nmap done: 1 IP address (1 host up) scanned in 7.24 seconds
Furthermore, to check if the port is listening I used the following command with the results :
:~$ sudo netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 1061/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 20013/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2009/cupsd
tcp6 0 0 :::22 :::* LISTEN 20013/sshd
tcp6 0 0 ::1:631 :::* LISTEN 2009/cupsd
udp 0 0 0.0.0.0:42198 0.0.0.0:*
But when I try to connect to the port from the same machine I get the following message :
:~$ ssh -vvv -p 22 address
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to address [198.105.xxx.xxx] port 22.
debug1: connect to address 198.105.xxx.xxx port 22: Connection timed out
When I try to ssh from a different computer on a different network I get following message(xx.xxx.xxx.xxx is the external/public IP of the router) :
:~ssh bhuwan#xx.xxx.xxx.xxx
ssh: connect to host xx.xxx.xxx.xxx port 22: Connection refused
Whereas, when I try to ssh from a different computer on a same network I am able to connect. I do have port forwarding enabled on the router on port 22 to my local IP of the computer. I literally started using ubuntu 2 days ago and started working on ssh the same day. I'm not an expert on this as of now and any simplified explanation or guidance would be much appreciated. :)
below is my sshd_config file:
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
And my ssh_config file as follows:
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
ServerAliveInterval 300
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64#openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
After a long haul found out that problem was the Modem that ISP provided. Above configuration should work fine if the modem/router has port forwarding not blocked by the ISP. With the modem/router ISP provided, even after I tried port forwarding, port 22 was not open which can be checked here: http://www.canyouseeme.org/.

Resources