Bug ID 1143841: TACACS+ remote authentication for SSH does not work when server listens on non-default port

Last Modified: Sep 19, 2022

Bug Tracker

Affected Product:  See more info
F5OS F5OS, Velos(all modules)

Known Affected Versions:
1.0.0, 1.0.0-420.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.3.0, 1.3.1, 1.3.2, 1.5.0

Opened: Aug 26, 2022
Severity: 3-Major

Symptoms

If remote authentication is configured to use TACACS+ and the servers use a port other than 49 (the default port for TACACS), users will not be able to authenticate via SSH. SELinux errors in /var/log/audit/audit.log similar to the following: type=AVC msg=audit(1660923433.566:3728): avc: denied { name_connect } for pid=20995 comm="sshd" dest=4949 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_port_t:s0 tclass=tcp_socket permissive=0

Impact

Unable to authenticate when connecting via SSH.

Conditions

-- rSeries appliance running F5OS-A or VELOS system controller; this issue does not affect VELOS partitions -- TACACS+ remote authentication -- TACACS+ server listening on a port other than 49.

Workaround

Configure the SELinux policy to allow this traffic. On a VELOS chassis, these instructions must be run on each system controller separately. 1. Connect to the F5OS system via SSH as root 2. Examine the SELinux audit denials and confirm all of them are associated with traffic that should be allowed: grep denied.*name_connect.*sshd /var/log/audit/audit.log > /root/ssh-audit-denials.log cat /root/ssh-audit-denials.log Remove entries from the file /root/ssh-audit-denials.log that you do not want to allow. 3. After confirming the contents of the file /root/ssh-audit-denials.log, run the following commands to create and install an SELinux policy to allow that traffic: audit2allow -M sshd.allowtacacs < /root/ssh-audit-denials.log semodule -i sshd.allowtacacs.pp

Fix Information

None

Behavior Change