Cannot login to command line

General support questions
Post Reply
orani
Posts: 5
Joined: 2019/05/24 20:14:52

Cannot login to command line

Post by orani » 2019/05/24 20:31:17

I have installed Centos 6.10 server edition (no gui) to a physical server (HP DL360 G3). After a year working perfectly fine i should shutdown the system for a UPS maintenance. After starting again the server i cannot login either with ssh or from local console. I can ping the server successfully so i know that it is alive. Some services that i had installed before the problem appears working fine (i.e. apache server).

When i try to ssh the server, session close after 2 seconds. I tried with multiple users (root and other users). I tried ssh the server from another linux server with command

Code: Select all

ssh -vvv root@xxx.xxx.xxx.xxx
and i got the following

Code: Select all

OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "xxx.xxx.xxx.xxx" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 1535/3072
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA f3:05:d6:53:bb:fe:54:46:88:84:d9:6d:e6:7e:d8:92
debug3: load_hostkeys: loading entries for host "xxx.xxx.xxx.xxx" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug2: bits set: 1530/3072
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa ((nil)),
debug2: key: /root/.ssh/id_dsa ((nil)),
debug2: key: /root/.ssh/id_ecdsa ((nil)),
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@xxx.xxx.xxx.xxx's password:
debug3: packet_send2: adding 48 (len 62 padlen 18 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to xxx.xxx.xxx.xxx ([xxx.xxx.xxx.xxx]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env HOSTNAME
debug3: Ignored env SELINUX_ROLE_REQUESTED
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env HISTSIZE
debug3: Ignored env SSH_CLIENT
debug3: Ignored env SELINUX_USE_CURRENT_RANGE
debug3: Ignored env SSH_TTY
debug3: Ignored env USER
debug3: Ignored env LS_COLORS
debug3: Ignored env MAIL
debug3: Ignored env PATH
debug3: Ignored env PWD
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env SELINUX_LEVEL_REQUESTED
debug3: Ignored env HISTCONTROL
debug3: Ignored env SHLVL
debug3: Ignored env HOME
debug3: Ignored env LOGNAME
debug3: Ignored env SSH_CONNECTION
debug3: Ignored env LESSOPEN
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Unable to get valid context for root
Last login: Fri May 24 23:25:38 2019 from porapp1.telematics.int
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

Connection to xxx.xxx.xxx.xxx closed.
Transferred: sent 3040, received 2688 bytes, in 0.7 seconds
Bytes per second: sent 4306.7, received 3808.1
debug1: Exit status 254


Code: Select all

ssh -t root@xxx.xxx.xxx.xxx
i entered the password and got the following message

Code: Select all

Unable to get valid context for root
Last login: Fri May 24 23:11:01 2019 from zzz.zzz.zzz.zzz
Connection to xxx.xxx.xxx.xxx closed.


Same responses form local console


Any suggestions??

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Cannot login to command line

Post by TrevorH » 2019/05/24 21:09:45

Try rebooting and interrupt the boot process at the grub menu, hit 'e' to edit the current entry then 'e' to edit the kernel line and append a space followed by enforcing=0 and then boot using that. See if it helps. That puts selinux into permissive mode and should allow everything that would have been denied in enforcing mode. If that doesn't help, do the same thing again and this time try with selinux=0 and see if that gets you in.

In both cases, this is just a bypass to get you into the system so that you can fix it properly.

You could also try booting from the install DVD in rescue mode and once booted, tell it to mount your system for you which it will do under /mnt/sysimage. Then touch /mnt/sysimage/.autorelabel and then reboot. That tells it to perform a full filesystem relabel and set all the selinux contexts back to how they ought to be. You probably need to boot using enforcing=0 after the touch so that it does the relabel in permissive mode or you might find it's unable to relabel the files with the wrong contexts because it doesn't have access (because they have the wrong context!).

You should also run rpm -Va selinux\* and see what files are listed as wrong or missing. A yum reinstall of any packages that have missing or bad files should fix them. Use rpm -qf /path/to file to find which package owns which file then yum reinstall $package.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

orani
Posts: 5
Joined: 2019/05/24 20:14:52

Re: Cannot login to command line

Post by orani » 2019/05/24 21:58:48

I interrupted the boot process at grub menu, edited the kernel and appended the enforcing=0 and then boot. It worked and now i can login.

When i run the

Code: Select all

rpm -Va selinux\*
i get an empty response. I suppose that no files are missing and no files are in bad condition.

What next?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Cannot login to command line

Post by TrevorH » 2019/05/24 22:40:35

You could try restorecon -RFv /root if this problem is only affecting the root user.

rpm -Va will verify all files belonging to all packages to check that their checksum matches what's expected. That will run for a while and could potentially produce a lot of output as it will list all files on the system that have been intentionally (and unintentionally) modifed. It checks ownership and permissions too. You can find the list of codes in the output by reading man rpm. This might help to identify what the problem is.

You should also be reading the system logs in /var/log - most likely the answers are in /var/log/{messages,secure}.

Also, what's the contents of /etc/sysconfig/selinux and is it a symlink to ../selinux/config ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

orani
Posts: 5
Joined: 2019/05/24 20:14:52

Re: Cannot login to command line

Post by orani » 2019/05/24 23:20:10

The problem wasn't only for root user but for all users with login capability

Code: Select all

File:/etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

and yes there is a symlink!!!

Code: Select all

File:/var/log/secure

May 25 02:02:58 NAGIOS sshd[21074]: Connection closed by 10.0.5.184
May 25 02:03:58 NAGIOS sshd[29509]: Connection closed by 10.0.5.184
May 25 02:04:57 NAGIOS sshd[5371]: Connection closed by 10.0.5.184
May 25 02:05:24 NAGIOS sshd[8874]: reverse mapping checking getaddrinfo for orestis-laptop.telematics.int [10.0.30.152] failed - POSSIBLE BREAK-IN ATTEMPT!
May 25 02:05:24 NAGIOS sshd[8874]: Accepted password for root from 10.0.30.152 port 42220 ssh2
May 25 02:05:25 NAGIOS sshd[8874]: pam_selinux(sshd:session): Security context unconfined_u:system_r:prelink_mask_t:s0-s0:c0.c1023 is not allowed for unconfined_$
May 25 02:05:25 NAGIOS sshd[8874]: pam_selinux(sshd:session): Unable to get valid context for root
May 25 02:05:25 NAGIOS sshd[8874]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 25 02:05:25 NAGIOS sshd[8874]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
May 25 02:05:57 NAGIOS sshd[13857]: Connection closed by 10.0.5.184
May 25 02:06:57 NAGIOS sshd[22409]: Connection closed by 10.0.5.184
May 25 02:07:57 NAGIOS sshd[30926]: Connection closed by 10.0.5.184
May 25 02:08:57 NAGIOS sshd[7064]: Connection closed by 10.0.5.184
May 25 02:09:57 NAGIOS sshd[15559]: Connection closed by 10.0.5.184
May 25 02:10:57 NAGIOS sshd[24019]: Connection closed by 10.0.5.184
May 25 02:11:57 NAGIOS sshd[32442]: Connection closed by 10.0.5.184
May 25 02:12:57 NAGIOS sshd[8604]: Connection closed by 10.0.5.184
May 25 02:13:57 NAGIOS sshd[17295]: Connection closed by 10.0.5.184
This is the only part of the file that has some interest.

should i reboot the server and try to remove the enforcing=0??

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Cannot login to command line

Post by TrevorH » 2019/05/24 23:47:24

You don't need to remove it, it was a one time thing if you entered it at the grub menu. It'll stay in effect until you reboot or you run setenforce 1 as root to switch to enforcing mode again. I wouldn't do that as I'm pretty sure that it'll just break again.

I do not know what's going on here so I would suggest that you switch to using the selinux mailing list to ask about this. The people that do know all about selinux hang out on there including the Redhat developers that work on it. It's selinux@lists.fedoraproject.org but I am pretty sure you have to sign up to the list before you can post to it. There's also an #selinux channel on Freenode IRC and you might be able to get answers there too.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

orani
Posts: 5
Joined: 2019/05/24 20:14:52

Re: Cannot login to command line

Post by orani » 2019/05/25 00:45:08

Thanks for your time. You were very helpfull.

Post Reply