ssh got denied access to user's ~/.ssh

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

ssh got denied access to user's ~/.ssh

Postby timbgo » Fri Mar 17, 2017 3:45 pm

title: ssh got denied access to user's ~/.ssh
---

Code: Select all
$ sftp rovisnet@rovis.org
Could not create directory '/home/miro/.ssh'.
The authenticity of host 'rovis.org (178.218.165.68)' can't be established.
ECDSA key fingerprint is SHA256:eIcir/AUnSb9d8SQN6emaaWugNFyGOZnxC9dPB6RfVk.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Failed to add the host to the list of known hosts (/home/miro/.ssh/known_hosts).
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Couldn't read packet: Connection reset by peer
$


( BTW, also if I try plain ssh:
Code: Select all
$ ssh rovisnet@rovis.org
...[basically same]...
)

Why? Have a look:

Code: Select all
Mar 17 20:24:00 g0n kernel: [386022.331916] grsec: (miro:U:/usr/bin/sftp) exec of /usr/bin/sftp (sftp rovisnet@rovis.org ) by /usr/bin/sftp[bash:32251] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:9182] uid/euid:1000/1000 gid/egid:1000/1000
Mar 17 20:24:00 g0n kernel: [386022.334929] grsec: (miro:U:/usr/bin/ssh) exec of /usr/bin/ssh (/usr/bin/ssh -oForwardX11 no -oForwardAgent no -oPermitLocalCommand no -oClearAllForwardings yes -l rovisnet -oProtocol 2 -s -- ) by /usr/bin/ssh[sftp:32252] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/sftp[sftp:32251] uid/euid:1000/1000 gid/egid:1000/1000
Mar 17 20:24:00 g0n kernel: [386022.345162] grsec: (miro:U:/usr/bin/ssh) denied access to hidden file /home/miro/.ssh by /usr/bin/ssh[ssh:32252] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/sftp[sftp:32251] uid/euid:1000/1000 gid/egid:1000/1000
Mar 17 20:24:00 g0n kernel: [386022.345181] grsec: (miro:U:/usr/bin/ssh) denied access to hidden file /home/miro/.ssh by /usr/bin/ssh[ssh:32252] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/sftp[sftp:32251] uid/euid:1000/1000 gid/egid:1000/1000
Mar 17 20:24:00 g0n kernel: [386022.345309] grsec: (miro:U:/usr/bin/ssh) denied access to hidden file /home/miro/.ssh/id_rsa by /usr/bin/ssh[ssh:32252] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/sftp[sftp:32251] uid/euid:1000/1000 gid/egid:1000/1000
Mar 17 20:24:00 g0n kernel: [386022.345344] grsec: (miro:U:/usr/bin/ssh) denied access to hidden file /home/miro/.ssh/id_rsa.pub by /usr/bin/ssh[ssh:32252] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/sftp[sftp:32251] uid/euid:1000/1000 gid/egid:1000/1000
Mar 17 20:24:00 g0n kernel: [386022.360133] grsec: more alerts, logging disabled for 10 seconds
Mar 17 20:24:11 g0n kernel: [386032.924301] grsec: (miro:U:/usr/bin/ssh) denied access to hidden file /home/miro/.ssh/known_hosts by /usr/bin/ssh[ssh:32252] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/sftp[sftp:32251] uid/euid:1000/1000 gid/egid:1000/1000
Mar 17 20:24:11 g0n kernel: [386032.982358] grsec: (miro:U:/usr/bin/ssh) denied access to hidden file /home/miro/.ssh/id_rsa by /usr/bin/ssh[ssh:32252] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/sftp[sftp:32251] uid/euid:1000/1000 gid/egid:1000/1000


Code: Select all
$ ls -lRa ~miro/.ssh/
/home/miro/.ssh/:
total 36
drwx------  2 miro miro  4096 2017-03-17 20:23 .
drwxr-xr-x 41 miro miro 20480 2017-03-17 20:32 ..
-rw-------  1 miro miro  1766 2014-12-23 10:52 id_rsa
-rw-r--r--  1 miro miro   390 2014-12-23 10:52 id_rsa.pub
-rw-r--r--  1 miro miro   186 2017-02-21 18:30 known_hosts
$


This hasn't happened yet. It just right now happened. I did notice some "hesitant" behavior by RBAC in my system. Maybe I'm doing something wrong, don't know.

Posting this just in case it doesn't go away...
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: ssh got denied access to user's ~/.ssh

Postby timbgo » Fri Mar 17, 2017 5:17 pm

Code: Select all
a273298ccfcc73cf06216cd5d25f88eaee538e66556d5e7d17b1e2a486c2a869  messages_170317_2023-2145_g0n.gz

ANOTHER (this one is second) NOTE AFTER POSTING: I forgot to post the link to it! Sorry!
It's in:
http://www.croatiafidelis.hr/foss/cap/c ... -hesitant/
http://www.croatiafidelis.hr/foss/cap/c ... 145_g0n.gz

Just posted. Minimally anonymized as per:
https://github.com/miroR/uncenz/blob/ma ... rl_repl.sh
(
or maybe better see the develop branch...
NOTE AFTER POSTING: Yes, this one I used:
https://github.com/miroR/uncenz/blob/de ... epl_log.sh
)

In the meantime, as can be read from that stretch of my syslog, I did the posting of:
The Test Sample for the (Imaginary or Not) Bug
http://www.croatiafidelis.hr/foss/cap/c ... mail-2.php

GnuPG signing a mail, this way:
GnuPG programs RBAC policies
viewtopic.php?f=5&t=4662

and more. So it was kind of grsecurity (probably because some mistake of mine, maybe in setting up some policies) being "hesitant".

Also in the log can be seen the hesitancy with the GnuPG...

Got to rush now. It's important to have posted that log, and posted the hash of that log (here this time). It's more credible, isn't it, this way.

But I have to first work on the Wireshark (imaginary?) bug...

Regards!
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia


Return to RBAC policy development