nerdexam
CompTIA

XK0-004 · Question #363

A system administrator is investigating why user3 cannot log in using SSH to one of the servers. An attempt to log in results in the following: Which of the following commands should the systems admin

The correct answer is A. Restorecon /bin/rssh. When a user cannot SSH in and the configured shell is /bin/rssh, an incorrect SELinux security context on the rssh binary is a common cause. The 'restorecon' command resets the context to the correct policy-defined value.

Troubleshooting and Diagnostics

Question

A system administrator is investigating why user3 cannot log in using SSH to one of the servers. An attempt to log in results in the following:

Which of the following commands should the systems administrator execute to allow user3 log in to the server?

Options

  • ARestorecon /bin/rssh
  • BPasswd/-u user3
  • CUsermod/ -s /bin/sh user3
  • DSetfac1/ bin/rssh

How the community answered

(24 responses)
  • A
    58% (14)
  • B
    4% (1)
  • C
    21% (5)
  • D
    17% (4)

Why each option

When a user cannot SSH in and the configured shell is /bin/rssh, an incorrect SELinux security context on the rssh binary is a common cause. The 'restorecon' command resets the context to the correct policy-defined value.

ARestorecon /bin/rsshCorrect

Running 'restorecon /bin/rssh' restores the SELinux security context label on the rssh binary to the value defined by the active policy. If the context was set incorrectly - for example after a manual file copy or an incomplete package update - SELinux will deny execution of rssh during SSH login, and restorecon corrects this without altering the user's account or shell assignment.

BPasswd/-u user3

'passwd -u user3' unlocks a password-locked account, which is unrelated to the rssh shell binary's SELinux context that is causing the login denial.

CUsermod/ -s /bin/sh user3

'usermod -s /bin/sh user3' replaces the user's shell entirely rather than fixing the underlying SELinux context problem on /bin/rssh, and may change intended access restrictions.

DSetfac1/ bin/rssh

'setfacl' modifies POSIX access control lists, which is a separate permission mechanism from SELinux context labels and would not resolve an SELinux denial on the rssh binary.

Concept tested: SELinux context restoration with restorecon for SSH login failure

Source: https://man7.org/linux/man-pages/man8/restorecon.8.html

Topics

#SSH login failure#SELinux#restorecon#rssh

Community Discussion

No community discussion yet for this question.

Full XK0-004 Practice