Posted Thu, 27 Dec 2007
Fedora 8 comes with selinux enabled by default. This means sshd was being denied permission to execute my special logging shell. The logs in /var/log/audit/ explained why, and audit2allow even tried to help make a new policy entry for me. However, I couldn't figure out (read: be bothered to search for more than 10 minutes) how to install this new policy. In searching, I found out about chcon(1). A simple command fixed my problems:
chcon --reference=/bin/sh /bin/sugarshellThe symptoms prior to this fix were that I could authenticate, but upon login I would get a '/bin/sugarshell: Permission Denied' that wasn't logged by sshd.
There are plenty of honeypot software tools out there, but I really wasn't in the mood for reading piles of probably-out-of-date documentation about how to use them. This hack (getpwnam + pam_permit + logging shell) took only a few minutes.
As a bonus, I found a feature in Fedora's yum tool that I like about freebsd's packaging system: It's trivial to ask "Where did this file come from?" Doing so made me finally look into how to do it in Ubuntu.
- FreeBSD: pkg_info -W /usr/local/bin/ssh
- /usr/local/bin/ssh was installed by package openssh-portable-4.7.p1,1
- Fedora: yum whatprovides /usr/bin/ssh
- openssh-server.x86_64 : The OpenSSH server daemon
- Ubuntu: dpkg -S /usr/bin/ssh
- openssh-client: /usr/bin/ssh
Let's see what I catch.