sshd: /etc/ssh/sshd_config: Permission denied
July 9, 2019 6 Comments
Problem:
sshd and chronyd services on the database server were in a failed state and not able to start because of the permission problem on their configuration files. Permissions on these files were correct and services should have been able to start, so there was something else… let’s dig into the details.
# systemctl status sshd
â sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Tue 2019-07-09 12:21:49 UTC; 32s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 124026 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=1/FAILURE)
Main PID: 124026 (code=exited, status=1/FAILURE)
Jul 09 12:21:49 node03 systemd[1]: Failed to start OpenSSH server daemon.
Jul 09 12:21:49 node03 systemd[1]: Unit sshd.service entered failed state.
Jul 09 12:21:49 node03 systemd[1]: sshd.service failed
`journalctl -xe` shows:
-- Unit sshd.service has begun starting up. Jul 09 12:26:03 node03 sshd[129121]: /etc/ssh/sshd_config: Permission denied Jul 09 12:26:03 node03 systemd[1]: sshd.service: main process exited, code=exited, status=1/FAILURE Jul 09 12:26:03 node03 systemd[1]: Failed to start OpenSSH server daemon. -- Subject: Unit sshd.service has failed
The same problem was happening with chronyd service. It was claiming about /etc/chrony.conf file. Incorrect time on database servers can cause node evictions.
Reason:
If permissions on these files are correct, we can think about SELinux, let’s check:
# getenforce Enforcing
Solution:
Disable SELinux and reboot the server:
# vim /etc/selinux/config SELINUX=disabled # reboot
Summary:
I consider SELinux as a non-desirable service on the database servers. But I appreciate opinion of my colleages/friends and I want to share it with you.
SELinux can be enabled with the correct config in RHEL 4,5,6 – “Starting with Oracle Database 11g Release 2 (11.2), the Security Enhanced Linux (SELinux) feature is supported for Oracle Linux 4, Oracle Linux 5, Oracle Linux 6, Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, and Red Hat Enterprise Linux 6.
https://docs.oracle.com/cd/E11882_01/install.112/e47689/pre_install.htm#LADBI1092”
“SELinux is a good security tool and usually I only disable it as a last resort or if the software doesn’t support it. “
About Mariami Kupatadze
Hi Mariami,
Starting with Oracle Database 11g Release 2 (11.2), the Security Enhanced Linux (SELinux) feature is supported for Oracle Linux 4, Oracle Linux 5, Oracle Linux 6, Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, and Red Hat Enterprise Linux 6.
https://docs.oracle.com/cd/E11882_01/install.112/e47689/pre_install.htm#LADBI1092
don’t know how it works in 7 (I suspect that your log is from RHEL7), probably this error can be also fixed via semanage/audit2allow etc tools
Did you have a chance to check the context of the file (and maybe correct/restore it if wrong)? SELinux is a good security tool and usually I only disable it as a last resort or if the software doesn’t support it.
Thank you all for your comments. I will include useful information provided by you.
You are right this is RHEL7. We never enable SELinux on our servers and it was enabled implicitly only on one node from 3-node cluster. That’s why I’ve not tried to restore SELinux config and disabled it.
Rodrigo, could you please let me know when was SELinux helpful ? Any example would be helpful…
I do appreciate your comments!
I will definitely check config file…
Hi Mariami,
Starting with Oracle Database 11g Release 2 (11.2), the Security Enhanced Linux (SELinux) feature is supported for Oracle Linux 4, Oracle Linux 5, Oracle Linux 6, Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, and Red Hat Enterprise Linux 6.
https://docs.oracle.com/cd/E11882_01/install.112/e47689/pre_install.htm#LADBI1092