SELinux preventing ssh login with ~/.ssh/authorized_keys
I want to be able to use ssh-keys to login to several CentOS servers.
This always worked fine with CentOS 5x, but causing me problems in CentOS 6.4 If I disable SELinux it works fine. Following the suggestion on another thread I ran Code:
[root@stanley etc]# restorecon -r -v -F /root/.ssh Code:
[fred@stanley ~]$ restorecon -r -v -F /home/fred/.ssh Code:
SELINUX=enforcing and rebooted. Now, I can login as root without entering a password, but user fred is still prompted. I notice that the flags being set by restorecon are different for root and for fred, so my guess is that this is the problem. I don't know what these flags mean, or how to change them, so would appreciate help in sorting this out. BTW: in general I want to disable ssh for root. Using root was just part of my troubleshooting. Some additional info added after @JohnVV's comments: After trying to login again as fred. I see this in /var/log/secure Code:
Jul 14 13:30:03 stanley sshd[10183]: debug3: mm_answer_keyallowed entering Code:
cat /var/log/audit/audit.log | audit2allow -w > ~/denied Code:
type=AVC msg=audit(1373833803.504:926): avc: denied { search } for pid=10183 comm="sshd" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir Thanks |
As per all the guides
set SE to permissive then use "audit2alow" to write the SE rules then set it back to "enforcing" Quote:
you might as well UNINSTALL the SE kernel and your firewall you will not need them, because you just bypassed ALL THE SYSTEM SECURITY |
Solution, I think
After being prompted by @John VV, I did a little more reading and did the following:
Code:
[root@stanley ~]# audit2allow -a -M fixse I was not having problems with ifconfig, so I re-ran with audit2allow limiting it to sshd (per RedHat docs https://docs.fedoraproject.org/en-US...dit2allow.html ) Code:
[root@stanley ~]# grep sshd /var/log/audit/audit.log | audit2allow -M allowsshd [root@stanley ~]# semodule -i allowsshd.pp Temporarily reenabled selinux enforcement: [root@stanley ~]# echo 1 > /selinux/enforce Confirmed I can login as non-root user with certificate/ no password. Finally, updated /etc/selinux/config with SELINUX=enforcing and rebooted and confirmed I could still login as non-root user, so that seems to solve it. Final Questions:
Thanks |
2 commands to solve ssh login
For the ~/.ssh/authorized_keys in the user home the correct SE context should be:
Code:
unconfined_u:object_r:user_home_t:s0 Code:
#!/bin/bash |
All times are GMT -5. The time now is 12:46 PM. |