Bug ID 1143841: TACACS+ remote authentication for SSH does not work when server listens on non-default port

Last Modified: May 29, 2024

Affected Product(s):
F5OS F5OS, Velos(all modules)

Known Affected Versions:
F5OS-A 1.0.0, F5OS-A 1.0.1, F5OS-A 1.1.0, F5OS-A 1.1.1, F5OS-C 1.0.0, F5OS-C 1.1.0, F5OS-C 1.1.1, F5OS-C 1.1.2, F5OS-C 1.1.3, F5OS-C 1.1.4, F5OS-C 1.3.0, F5OS-C 1.3.1, F5OS-C 1.3.2, F5OS-C 1.5.0, F5OS-C 1.5.1

Fixed In:
F5OS-C 1.6.0, F5OS-A 1.4.0

Opened: Aug 26, 2022

Severity: 3-Major


If remote authentication is configured to use TACACS+ and the servers use a port other than 49 (the default port for TACACS), users will not be able to authenticate via SSH. SELinux errors in /var/log/audit/audit.log similar to the following: type=AVC msg=audit(1660923433.566:3728): avc: denied { name_connect } for pid=20995 comm="sshd" dest=4949 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_port_t:s0 tclass=tcp_socket permissive=0


Unable to authenticate when connecting via SSH.


-- rSeries appliance running F5OS-A, or VELOS system controller; this issue does not affect VELOS chassis partitions -- TACACS+ remote authentication -- TACACS+ server listening on a port other than 49


Configure the SELinux policy to allow this traffic. On a VELOS chassis, these instructions must be run on each system controller separately. 1. Connect to the F5OS system via SSH as root. 2. Examine the SELinux audit denials and confirm all of them are associated with traffic that should be allowed: grep denied.*name_connect.*sshd /var/log/audit/audit.log > /root/ssh-audit-denials.log cat /root/ssh-audit-denials.log Remove entries from the file /root/ssh-audit-denials.log that you do not want to allow. 3. After confirming the contents of the file /root/ssh-audit-denials.log, run the following commands to create and install an SELinux policy to allow that traffic: audit2allow -M sshd.allowtacacs < /root/ssh-audit-denials.log semodule -i sshd.allowtacacs.pp

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips