After booting a freshly-installed LIDS-enabled system, issuing lidsadm -I and attemping to access it remotely via SSH, with the OpenSSH daemon running, access is denied with Read from socket failed: Connection reset by peer; the following appears on the console (or /var/log/syslog and/or /var/log/kern.log, depending on your syslog configuration):
Apr 10 17:21:21 pinback kernel: LIDS: sshd (dev 3:11 inode 32098) \
pid 3536 ppid 3535 uid/gid (0/65534) on (NULL tty) : \
violated CAP_SETUID
So we allow this capability:
lidsadm -S -- -LIDS
lidsconf -A -s /usr/sbin/sshd -o CAP_SETUID -j GRANT
lidsconf -C
lidsadm -S -- +RELOAD_CONF
lidsadm -S -- +LIDS
This time access is denied with Permission denied, please try again,
correct credentials, or not, and the following appears on the console
(or in the syslogs):
Apr 11 13:01:01 pinback kernel: LIDS: sshd (dev 3:11 inode 32098) \
pid 3275 ppid 3217 uid/gid (0/0) on (NULL tty) : \
attempt to open shadow for reading
Following the same procedure as above but replacing the capability-granting
line with
lidsconf -A -s /usr/sbin/sshd -o /etc/shadow -j READONLY
solves our problem — remote access via OpenSSH is not possible.
For interest, these lines are added to /etc/lids/lids.conf:
32098:779:/usr/sbin/sshd:16:0:-1:7:CAP_SETUID:0-0
32098:779:/usr/sbin/sshd:1:0:33191:778:/etc/shadow:0-0
| ...previous | up (conts) | next... |