Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8901: Centrify openssh does not correctly handle the ctxt transition for priv-separated login session

Centrify DirectControl ,  

30 June,17 at 10:57 PM

Applies to: Centrify DirectControl 5.4.0 on all supported platforms

Problem:
Current cdc-sshd does not correctly handle the ctxt transition for priv-separated login session.
Typically this doesn't cause any issues in the shell, but may cause issues with using sftp/scp as the sshd_t context doesn't have access to write in other contexts.
 
When using Centrify openssh:

rhargr1@dlbcansible1 ~]$ ps -axZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 9364 ? Ss 0:00 /usr/share/centrifydc/sbin/sshd -D
system_u:system_r:sshd_t:s0-s0:c0.c1023 9448 ? Ss 0:00 sshd: rhargr1 [priv]
system_u:system_r:sshd_t:s0-s0:c0.c1023 9452 ? S 0:00 sshd: rhargr1@pts/4

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9708 pts/5 R+ 0:00 grep --color=auto sshd


When using RHEL's default openssh:
[rhargr1@dlbcansible1 ~]$ ps -axZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 9989 ? Ss 0:00 /usr/sbin/sshd -D
system_u:system_r:sshd_t:s0-s0:c0.c1023 9995 ? Ss 0:00 sshd: rhargr1 [priv]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9999 ? S 0:00 sshd: rhargr1@pts/0
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 10027 pts/2 S+ 0:00 grep --color=auto ssh


Cause:
The current cdc-sshd does not correctly handle the ctxt transition for priv-separated login session. This is a SELinux issue which exists in non patched stock openssh as well.
This release of the Centrify Openssh does not include the latest redhat ssh selinux patch.

Resolution:
This will be  fixed  in the next release  as it is planned to update our cdc-ssh to incorporate the redhat selinux patch for openssh.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.