Home / server / Questions / 504741
Accepted
Julien
Asked: 2013-05-04 03:32:00 +0800 CST

Selinux in permissive mode, ssh key based auth and locked account

  • 772

I noticed something weird regarding ssh key based login and selinux in permissive mode.

Let me introduce you the setup: The server is an updated Centos 6.4 x86_64.

We create user without a password (the user will then be locked):

# useradd testuser
# passwd -S testuser
testuser LK 2013-05-03 0 99999 7 -1 (Password locked.)

Then we setup the ssh keys:

# install -d -m 700 -o testuser -g testuser /home/testuser/.ssh/
# install -m 600 -o testuser -g testuser /root/.ssh/id_rsa.pub /home/testuser/.ssh/authorized_keys

Let's check the selinux status

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Then let's try to log in as testuser:

# ssh testuser@localhost
Last login: Fri May  3 13:26:32 2013 from ::1
$

It works ! Now we set Selinux to the permissive mode

# setenforce 0
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

And we try to log again:

# ssh testuser@localhost
testuser@localhost's password:

SSH doesn't accept the key and asks for a password !

Question: Is that a bug ?

EDIT: After restorecon -Rv /home, I have

$ ls -laZ ~/.ssh/
drwx------. user wheel unconfined_u:object_r:ssh_home_t:s0 ./
drwxr-x---. user wheel unconfined_u:object_r:user_home_dir_t:s0 ../
-rw-------. user wheel system_u:object_r:ssh_home_t:s0  authorized_keys

$ getsebool -a | grep 'ssh'
allow_ssh_keysign --> off
fenced_can_ssh --> off
ssh_chroot_full_access --> off
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off

EDIT: Here is the content of /var/log/secure

Jun 13 16:30:51 dhcp-240 sshd[13681]: User testuser not allowed because account is locked
Jun 13 16:30:51 dhcp-240 sshd[13682]: input_userauth_request: invalid user testuser
centos6

2 Answers

  1. Best Answer

    So, I found the problem. It seems to be indeed a configuration problem.

    If the sshd_config contains the directive UsePAM no then the ssh daemon doesn't accept the user key and ask for a password.

    With UsePAM yes the login via keys is working in all cases (SELINUX permissive or enforced, user account locked or not)

    • 1

  2. I believe this has nothing to do with SELinux and everything to do with putting mode 644 on your ~/.ssh/authorized_keys file. The ~/.ssh directory itself should have mode 700 and files within that directory should be mode 600.

    According to the OpenSSH FAQ:

    3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work.

    Typically this is caused by the file permissions on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys being more permissive than sshd allows by default.

    In this case, it can be solved by executing the following on the server.

    $ chmod go-w $HOME $HOME/.ssh
$ chmod 600 $HOME/.ssh/authorized_keys
$ chown `whoami` $HOME/.ssh/authorized_keys

    If this is not possible for some reason, an alternative is to set StrictModes no in sshd_config, however this is not recommended.

    You may also need to do a "restorecon -Rv /root" and "restorecon -Rv /home". Take a look at the directory ownership and SELinux labels with "ls -lZ".

    • -1