Logbook + Scratchpad

sysadmin

Today I was still configuring a Fedora-based server, and I noticed that SELinux was not enabled by default. To make sure not to mess up and lose access to the server, I followed the guide on the Fedora website and I enabled the Permissive mode first, set the files to be relabeled after reboot, and rebooted. After reboot, I checked for errors using this command:

$ ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent

I saw one error related to the SSH port, and I learned that I needed to explicitly tell SELinux when SSH runs on a different port (which, in this case, I had changed as part of the setting up process):

$ semanage port -a -t ssh_port_t -p tcp 2222

Having fixed this, I finally set SELinux to Enforcing.

#TIL #tech #sysadmin

Today I was performing a very common ritual of the software development world: using SSH to log onto a server.

Although I always use SSH keys, for a couple of reasons today I needed to temporarily enable password access. I made sure that password authentication was enabled by setting PasswordAuthentication yes in the sshd_config file and restarting the sshd service, but this didn't seem to work.

After a little debugging, I learned that there might be additional SSH configuration files in the /etc/ssh/sshd_config.d directory; sure enough, there was a file which was overriding my configuration with PasswordAuthentication no. After getting rid of such file, I finally got password access.

Inspecting SSH logs

Another thing I learned today: I was used to inspect the /var/log/auth.log file (or the /var/log/secure file in CentOS), but there was neither on this server whose OS was Fedora 39. Since systemd is now the default, the standard way of inspecting service logs is to use journalctl as follows:

$ journalctl -u sshd | tail

#TIL #sysadmin