On Wed, Apr 14, 2004 at 12:26:36AM +1000, Russell Coker wrote:
On Tue, 13 Apr 2004 11:03, Tom Mitchell <mitch48(a)sbcglobal.net>
wrote:
> I just killed a remote terminal window and noted this message triple in the
> log/messages:
>
> sshd(pam_unix)[30912]: session opened for user root by (uid=0)
>
> sshd[30912]: Warning! Could not relabel with
> system_u:object_r:sshd_devpts_t, not relabeling.
What version of pam do you have installed? It should not even be trying to
# rpm -qa | grep pam
pam-0.77-38
# rpm -q --whatprovides /usr/sbin/sshd
openssh-server-3.6.1p2-34
relabel a pty back to it's original type. The idea is that if
someone
exploits a copy of sshd we want to make it as difficult as possible to trick
it into granting access to another user's session. Allowing sshd to label
terminals back from userpty_type makes things easier for an attacker.
> If this is what I think it is sshd will slowly run out of available ptys.
I've noticed that 2.6 kernels don't seem to reuse pty numbers until they reach
some large number. I don't think that there's any problem of running out of
available ptys, it seems to handle things the same way in permissive and
enforcing modes.
Thanks I am less concerned now. Running out of pty's can take a while
so that end point might have been lightly tested.
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.