Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8901: Centrify openssh does not correctly handle the ctxt transition for priv-separated login session

Centrify DirectControl ,  

30 June,17 at 10:57 PM

Applies to: Centrify DirectControl 5.4.0 on all supported platforms

Problem:
Current cdc-sshd does not correctly handle the ctxt transition for priv-separated login session.
Typically this doesn't cause any issues in the shell, but may cause issues with using sftp/scp as the sshd_t context doesn't have access to write in other contexts.
 
When using Centrify openssh:
rhargr1@dlbcansible1 ~]$ ps -axZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 9364 ? Ss 0:00 /usr/share/centrifydc/sbin/sshd -D
system_u:system_r:sshd_t:s0-s0:c0.c1023 9448 ? Ss 0:00 sshd: rhargr1 [priv]
system_u:system_r:sshd_t:s0-s0:c0.c1023 9452 ? S 0:00 sshd: rhargr1@pts/4
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9708 pts/5 R+ 0:00 grep --color=auto sshd

When using RHEL's default openssh:
[rhargr1@dlbcansible1 ~]$ ps -axZ | grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 9989 ? Ss 0:00 /usr/sbin/sshd -D
system_u:system_r:sshd_t:s0-s0:c0.c1023 9995 ? Ss 0:00 sshd: rhargr1 [priv]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9999 ? S 0:00 sshd: rhargr1@pts/0
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 10027 pts/2 S+ 0:00 grep --color=auto ssh

Cause:
The current cdc-sshd does not correctly handle the ctxt transition for priv-separated login session. This is a SELinux issue which exists in non patched stock openssh as well.
This release of the Centrify Openssh does not include the latest redhat ssh selinux patch.

Resolution:
This will be  fixed  in the next release  as it is planned to update our cdc-ssh to incorporate the redhat selinux patch for openssh.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient? articleKB-4607: How to configure stock OpenSSH for PAM on AIX articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-0983: authentication fails via ssh when "password" method is used