Selinux in permissive mode, ssh key based auth and locked account
So, I found the problem. It seems to be indeed a configuration problem.
If the sshd_config contains the directive UsePAM no
then the ssh daemon doesn't accept the user key and ask for a password.
With UsePAM yes
the login via keys is working in all cases (SELINUX permissive or enforced, user account locked or not)
Related videos on Youtube
Julien
Updated on September 18, 2022Comments
-
Julien over 1 year
I noticed something weird regarding ssh key based login and selinux in permissive mode.
Let me introduce you the setup: The server is an updated Centos 6.4 x86_64.
We create user without a password (the user will then be locked):
# useradd testuser # passwd -S testuser testuser LK 2013-05-03 0 99999 7 -1 (Password locked.)
Then we setup the ssh keys:
# install -d -m 700 -o testuser -g testuser /home/testuser/.ssh/ # install -m 600 -o testuser -g testuser /root/.ssh/id_rsa.pub /home/testuser/.ssh/authorized_keys
Let's check the selinux status
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
Then let's try to log in as testuser:
# ssh testuser@localhost Last login: Fri May 3 13:26:32 2013 from ::1 $
It works ! Now we set Selinux to the permissive mode
# setenforce 0 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
And we try to log again:
# ssh testuser@localhost testuser@localhost's password:
SSH doesn't accept the key and asks for a password !
Question: Is that a bug ?
EDIT: After restorecon -Rv /home, I have
$ ls -laZ ~/.ssh/ drwx------. user wheel unconfined_u:object_r:ssh_home_t:s0 ./ drwxr-x---. user wheel unconfined_u:object_r:user_home_dir_t:s0 ../ -rw-------. user wheel system_u:object_r:ssh_home_t:s0 authorized_keys $ getsebool -a | grep 'ssh' allow_ssh_keysign --> off fenced_can_ssh --> off ssh_chroot_full_access --> off ssh_chroot_manage_apache_content --> off ssh_chroot_rw_homedirs --> off ssh_sysadm_login --> off
EDIT: Here is the content of /var/log/secure
Jun 13 16:30:51 dhcp-240 sshd[13681]: User testuser not allowed because account is locked Jun 13 16:30:51 dhcp-240 sshd[13682]: input_userauth_request: invalid user testuser
-
ZaSter almost 11 yearsTry restarting the
sshd
daemon to ensure it knows the current Selinux setting which you have changed while it was running. -
Julien almost 11 yearsNo, it doesn't help. Neither a full system restart.
-
Matthew Ife almost 11 yearsI've tried to duplicate this as you specified without success. Are you sure you have not altered PAM in any way?
-
Julien almost 11 yearsThanks for testing this. Then it must be something in my setup... I asked this question, because I found this weird, and wondered if I should file a bug. I guess not, then.
-
ZaSter almost 11 yearsCouple questions. Does the /var/log/secure logs or /var/log/messages logs provide any useful clues to the problem? Is the policycoreutils package installed?
-
Julien almost 11 years@ZaSter there is nothing in messages, I updated the question with the content of the secure log. And the policycoreutils rpm is installed.
-
ZaSter almost 11 yearsHowever, the /var/log/secure does say that the account is locked, which could be factor.
-
Julien almost 11 yearsYes, but then why does it work in enforced mode, which should be less permissive !
-
-
Julien almost 11 yearsI changed the permission for the authorized_keys file. And in my setup, it still doesn't allow to log in in permissive mode.
-
tgharold almost 11 yearsWell, assuming that (ls -laZ ~/) shows user_home_dir_t for the .ssh folder and user_home_t for the files inside, then it won't be a labeling issue. Which means it might be a boolean issue or policy issue. You can search the booleans with (getsebool -a | grep 'ssh').
-
Julien almost 11 yearsI edited the question to add the output of ls -laZ. Restorecon restored the .ssh folder to ssh_home_t and not user_home_dir_t. Also, I reread my question, and I not sure I made it clear that with SELINUX in enforced mode, the ssh login works !
-
tgharold almost 11 yearsI'm wondering why the user's home director (/home/user) is mode 750, and why the group ownership is wheel, instead of user, for ~/.ssh and ~/.ssh/*. And yes, it's odd that flipping SELinux from Enforcing to Permissive affects things in that way. Maybe try looking at "sealert -a /var/log/audit/audit.log" with an eye out for ssh errors.