Last Modified: May 29, 2024
Affected Product(s):
F5OS F5OS, Velos
Known Affected Versions:
F5OS-A 1.0.0, F5OS-A 1.0.1, F5OS-A 1.1.0, F5OS-A 1.1.1, F5OS-C 1.0.0, F5OS-C 1.1.0, F5OS-C 1.1.1, F5OS-C 1.1.2, F5OS-C 1.1.3, F5OS-C 1.1.4, F5OS-C 1.3.0, F5OS-C 1.3.1, F5OS-C 1.3.2, F5OS-C 1.5.0, F5OS-C 1.5.1
Fixed In:
F5OS-C 1.6.0, F5OS-A 1.4.0
Opened: Aug 26, 2022 Severity: 3-Major
If remote authentication is configured to use TACACS+ and the servers use a port other than 49 (the default port for TACACS), users will not be able to authenticate via SSH. SELinux errors in /var/log/audit/audit.log similar to the following: type=AVC msg=audit(1660923433.566:3728): avc: denied { name_connect } for pid=20995 comm="sshd" dest=4949 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_port_t:s0 tclass=tcp_socket permissive=0
Unable to authenticate when connecting via SSH.
-- rSeries appliance running F5OS-A, or VELOS system controller; this issue does not affect VELOS chassis partitions -- TACACS+ remote authentication -- TACACS+ server listening on a port other than 49
Configure the SELinux policy to allow this traffic. On a VELOS chassis, these instructions must be run on each system controller separately. 1. Connect to the F5OS system via SSH as root. 2. Examine the SELinux audit denials and confirm all of them are associated with traffic that should be allowed: grep denied.*name_connect.*sshd /var/log/audit/audit.log > /root/ssh-audit-denials.log cat /root/ssh-audit-denials.log Remove entries from the file /root/ssh-audit-denials.log that you do not want to allow. 3. After confirming the contents of the file /root/ssh-audit-denials.log, run the following commands to create and install an SELinux policy to allow that traffic: audit2allow -M sshd.allowtacacs < /root/ssh-audit-denials.log semodule -i sshd.allowtacacs.pp
None