SSH tunnel stopped working after upgraded to RHEL 7 from RHEL 6
Environment
- Red Hat Enterprise Linux 7
- OpenSSH
Issue
- The Jump host system was recently upgraded from RHEL 6 to 7.
- Post upgrade the SSH tunneling failed to work with the following error at destination server side.
Nov 12 08:59:27 server sshd[23200]: Accepted keyboard-interactive/pam for root from 192.1.1.XX port 52861 ssh2
Nov 12 08:59:27 server sshd[23200]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 12 08:59:27 server sshd[23200]: error: connect to 192.2.1.XX port 22 failed: Permission denied
Resolution
- Enable the following SELinux boolean.
# setsebool -P nis_enabled 1
- Now try to connect the SSHD server from the Jump host.
Root Cause
- SELinux was preventing /usr/sbin/sshd from name_connect access on the tcp_socket port 22
time->Thu Nov 11 14:07:18 2021
type=PROCTITLE msg=audit(1636619838.178:370050): proctitle=737368643A207276656572616D
type=SOCKADDR msg=audit(1636619838.178:370050): saddr=020000160AD6023D0000000000000000
type=SYSCALL msg=audit(1636619838.178:370050): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=55e1518c0470 a2=10 a3=4 items=0 ppid=10719 pid=11709 auid=1647923307 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=680 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1636619838.178:370050): avc: denied { name_connect } for pid=11709 comm="sshd" dest=22 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket permissive=0
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments