[Users] SSH MAC corrupt

Gabi C gabicr at gmail.com
Thu Dec 12 16:00:47 UTC 2013 

I'll try when i'll be back to work i.e. 13 hours from now...
Pe 12.12.2013 15:16, "Alon Bar-Lev" <alonbl at redhat.com> a scris:

>
>
> ----- Original Message -----
> > From: "Gabi C" <gabicr at gmail.com>
> > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > Cc: "Dan Kenigsberg" <danken at redhat.com>, users at ovirt.org
> > Sent: Thursday, December 12, 2013 3:13:43 PM
> > Subject: Re: [Users] SSH MAC corrupt
> >
> > I've tried and I' logged in!!
> >
> >
> >
> > sestatus
> > SELinux status:                 enabled
> > SELinuxfs mount:                /sys/fs/selinux
> > SELinux root directory:         /etc/selinux
> > Loaded policy name:             targeted
> > Current mode:                   permissive
> > Mode from config file:          enforcing
> > Policy MLS status:              enabled
> > Policy deny_unknown status:     allowed
> > Max kernel policy version:      28
> >
> >
> >
> >
> > Still get those 'denied' in audit.log - node!
>
> Because you are at permissive mode.
>
> Now, what do you get in engine.log in this state when you trying to add
> node via webadmin?
>
> >
> >
> >
> >
> >
> >
> > On Thu, Dec 12, 2013 at 2:35 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:
> >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Gabi C" <gabicr at gmail.com>
> > > > To: "Dan Kenigsberg" <danken at redhat.com>
> > > > Cc: users at ovirt.org
> > > > Sent: Thursday, December 12, 2013 2:32:48 PM
> > > > Subject: Re: [Users] SSH MAC corrupt
> > > >
> > > > I confirm that manual ssh works both ways.
> > > >
> > > > I'll try to sniff.
> > >
> > > please try from engine:
> > >
> > > ssh -i /etc/pki/ovirt-engine/keys/engine_id_rsa root at node
> > >
> > > this is similar to what engine is trying to do.
> > >
> > > but as far as I see, the problem is within the selinux policy.
> > >
> > > >
> > > >
> > > > On Thu, Dec 12, 2013 at 2:22 PM, Dan Kenigsberg < danken at redhat.com>
> > > wrote:
> > > >
> > > >
> > > >
> > > > On Thu, Dec 12, 2013 at 11:43:10AM +0200, Gabi C wrote:
> > > > > Hello!
> > > > >
> > > > > 1 engine running ovirt-engine-3.3.1-2.fc19.noarch, in virtual
> machine
> > > - on
> > > > > esxi 5.5 host - when I try to add ovirt node hypervisor
> > > > > 3.0.3-1.1.fc19,after "setenforce 0" on node, of course, this fails
> > > with:
> > > > >
> > > > > /var/log/secure
> > > > >
> > > > >
> > > > > Dec 12 09:35:40 virtual4 sshd[3898]: Corrupted MAC on input.
> > > > > Dec 12 09:35:40 virtual4 sshd[3898]: Disconnecting: Packet corrupt
> > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: do_cleanup
> > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: cleanup
> > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: closing session
> > > > > Dec 12 09:35:40 virtual4 sshd[3898]: pam_unix(sshd:session):
> session
> > > closed
> > > > > for user root
> > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: deleting
> credentials
> > > > > Dec 12 09:35:40 virtual4 sshd[3898]: error: getsockname failed: Bad
> > > file
> > > > > descriptor
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > and
> > > > >
> > > > > /var/log/audit/audit.log
> > > > >
> > > > > type=AVC msg=audit(1386840940.650:589): avc: denied { sigchld } for
> > > > > pid=3898 comm="sshd" scontext=system_u:system_r:sshd_net_t:s0
> > > > > tcontext=system_u:system_r:initrc_t:s0 tclass=process
> > > > > type=SYSCALL msg=audit(1386840940.650:589): arch=c000003e
> syscall=61
> > > > > success=yes exit=3899 a0=f3b a1=7fff76fe9ad0 a2=0 a3=0 items=0
> > > ppid=3834
> > > > > pid=3898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > sgid=0
> > > > > fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd"
> > > > > subj=system_u:system_r:initrc_t:s0 key=(null)
> > > > >
> > > > > ............................
> > > > > type=AVC msg=audit(1386840940.751:595): avc: denied {
> dyntransition }
> > > > > for pid=3898 comm="sshd" scontext=system_u:system_r:initrc_t:s0
> > > > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
> > > > > ............
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > any ideea?
> > > >
> > > > Does manual ssh from Engine to the node work?
> > > > Could you sniff the traffic to see where it's being garbled?
> > > >
> > > >
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users at ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/users
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20131212/85f066f5/attachment-0001.html>

More information about the Users mailing list