Selinux in permissive mode, ssh key based auth and locked account

centos6 ssh-keys selinux

7,139

So, I found the problem. It seems to be indeed a configuration problem.

If the sshd_config contains the directive UsePAM no then the ssh daemon doesn't accept the user key and ask for a password.

With UsePAM yes the login via keys is working in all cases (SELINUX permissive or enforced, user account locked or not)

7,139

Julien

Updated on September 18, 2022

Comments

Julien over 1 year
I noticed something weird regarding ssh key based login and selinux in permissive mode.

Let me introduce you the setup: The server is an updated Centos 6.4 x86_64.

We create user without a password (the user will then be locked):
```
# useradd testuser
# passwd -S testuser
testuser LK 2013-05-03 0 99999 7 -1 (Password locked.)
```
Then we setup the ssh keys:
```
# install -d -m 700 -o testuser -g testuser /home/testuser/.ssh/
# install -m 600 -o testuser -g testuser /root/.ssh/id_rsa.pub /home/testuser/.ssh/authorized_keys
```
Let's check the selinux status
```
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
```
Then let's try to log in as testuser:
```
# ssh testuser@localhost
Last login: Fri May  3 13:26:32 2013 from ::1
$
```
It works ! Now we set Selinux to the permissive mode
```
# setenforce 0
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
```
And we try to log again:
```
# ssh testuser@localhost
testuser@localhost's password:
```
SSH doesn't accept the key and asks for a password !

Question: Is that a bug ?

EDIT: After restorecon -Rv /home, I have
```
$ ls -laZ ~/.ssh/
drwx------. user wheel unconfined_u:object_r:ssh_home_t:s0 ./
drwxr-x---. user wheel unconfined_u:object_r:user_home_dir_t:s0 ../
-rw-------. user wheel system_u:object_r:ssh_home_t:s0  authorized_keys

$ getsebool -a | grep 'ssh'
allow_ssh_keysign --> off
fenced_can_ssh --> off
ssh_chroot_full_access --> off
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off
```
EDIT: Here is the content of /var/log/secure
```
Jun 13 16:30:51 dhcp-240 sshd[13681]: User testuser not allowed because account is locked
Jun 13 16:30:51 dhcp-240 sshd[13682]: input_userauth_request: invalid user testuser
```
- ZaSter almost 11 years
  
  Try restarting the sshd daemon to ensure it knows the current Selinux setting which you have changed while it was running.
- Julien almost 11 years
  
  No, it doesn't help. Neither a full system restart.
- Matthew Ife almost 11 years
  
  I've tried to duplicate this as you specified without success. Are you sure you have not altered PAM in any way?
- Julien almost 11 years
  
  Thanks for testing this. Then it must be something in my setup... I asked this question, because I found this weird, and wondered if I should file a bug. I guess not, then.
- ZaSter almost 11 years
  
  Couple questions. Does the /var/log/secure logs or /var/log/messages logs provide any useful clues to the problem? Is the policycoreutils package installed?
- Julien almost 11 years
  
  @ZaSter there is nothing in messages, I updated the question with the content of the secure log. And the policycoreutils rpm is installed.
- ZaSter almost 11 years
  
  However, the /var/log/secure does say that the account is locked, which could be factor.
- Julien almost 11 years
  
  Yes, but then why does it work in enforced mode, which should be less permissive !
Julien almost 11 years

I changed the permission for the authorized_keys file. And in my setup, it still doesn't allow to log in in permissive mode.
tgharold almost 11 years

Well, assuming that (ls -laZ ~/) shows user_home_dir_t for the .ssh folder and user_home_t for the files inside, then it won't be a labeling issue. Which means it might be a boolean issue or policy issue. You can search the booleans with (getsebool -a | grep 'ssh').
Julien almost 11 years

I edited the question to add the output of ls -laZ. Restorecon restored the .ssh folder to ssh_home_t and not user_home_dir_t. Also, I reread my question, and I not sure I made it clear that with SELINUX in enforced mode, the ssh login works !
tgharold almost 11 years

I'm wondering why the user's home director (/home/user) is mode 750, and why the group ownership is wheel, instead of user, for ~/.ssh and ~/.ssh/*. And yes, it's odd that flipping SELinux from Enforcing to Permissive affects things in that way. Maybe try looking at "sealert -a /var/log/audit/audit.log" with an eye out for ssh errors.