rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2024-11-29 00:24:11 +01:00
Code Issues Projects Releases Wiki Activity

Rename and update SELinux doc

Browse Source 
- Renamed the title to remove Fedora as this applies to Enterprise Linux too.
- Added a new section on debugging with sshd.
This commit is contained in:
Yuping Zuo 2019-06-27 10:20:13 +08:00 committed by GitHub
parent 3d8d06d949
commit da79e1d5dc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc → doc/YubiKey_and_SELinux.adoc
View File

@ -1,3 +1,5 @@
== Enable HTTP connection for sshd
Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke YubiKey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled.
Based on a https://bugzilla.redhat.com/show_bug.cgi?id=841693[bugreport] in Red Hat Bugzilla, a boolean was added to the SELinux policy for Fedora 18 and up, that can be toggled to allow sshd (and some other SELinux types) to connect to remote HTTP ports.
@ -9,3 +11,9 @@ To make a long story short, if you want to use a YubiKey on a system running Fed
If you are using your own server via `urllist`/`url` in the pam conf file and using a non-standard http port, you will need to add that port to the `http_port_t` port list. For example, port `12345`:
semanage port -a -t http_port_t -p tcp 12345
== Enable debug_file support for sshd
By default, SELinux prevents sshd from opening local files other than SSH configuration files. If you would like to debug this module using `debug` and `debug_file` parameters, you may need to temporarily relax your SELinux confinement:
setenforce permissive