LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   SELinux preventing ssh login with ~/.ssh/authorized_keys (https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-%7E-ssh-authorized_keys-4175469538/)

Seattle98122 07-13-2013 04:37 PM

SELinux preventing ssh login with ~/.ssh/authorized_keys
 
I want to be able to use ssh-keys to login to several CentOS servers.
This always worked fine with CentOS 5x, but causing me problems in CentOS 6.4

If I disable SELinux it works fine.
Following the suggestion on another thread I ran

Code:

[root@stanley etc]# restorecon -r -v -F /root/.ssh
restorecon reset /root/.ssh context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:ssh_home_t:s0

and
Code:

[fred@stanley ~]$ restorecon -r -v -F /home/fred/.ssh
restorecon reset /home/fred/.ssh context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/fred/.ssh/authorized_keys context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:ssh_home_t:s0

and then reset SELinux to
Code:

SELINUX=enforcing
in /etc/selinux/config
and rebooted.

Now, I can login as root without entering a password, but user fred is still prompted.

I notice that the flags being set by restorecon are different for root and for fred, so my guess is that this is the problem. I don't know what these flags mean, or how to change them, so would appreciate help in sorting this out.

BTW: in general I want to disable ssh for root. Using root was just part of my troubleshooting.

Some additional info added after @JohnVV's comments:


After trying to login again as fred. I see this in /var/log/secure

Code:

Jul 14 13:30:03 stanley sshd[10183]: debug3: mm_answer_keyallowed entering
Jul 14 13:30:03 stanley sshd[10183]: debug3: mm_answer_keyallowed: key_from_blob: 0x7f29afe06d00
Jul 14 13:30:03 stanley sshd[10183]: debug1: temporarily_use_uid: 504/504 (e=0/0)
Jul 14 13:30:03 stanley sshd[10183]: debug1: trying public key file /home/fred/.ssh/authorized_keys
Jul 14 13:30:03 stanley sshd[10183]: debug1: fd 4 clearing O_NONBLOCK
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: checking '/home/fred/.ssh'
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: checking '/home/fred'
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: terminating check at '/home/fred'
Jul 14 13:30:03 stanley sshd[10183]: debug2: key not found

Then extracting the entries from the the audit log for process 10183
Code:

cat /var/log/audit/audit.log | audit2allow -w > ~/denied
grep -A3 10183 ~/denied

I just get this:

Code:

type=AVC msg=audit(1373833803.504:926): avc:  denied  { search } for  pid=10183 comm="sshd" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

        Was caused by:
                Missing type enforcement (TE) allow rule.
--
type=AVC msg=audit(1373833803.505:927): avc:  denied  { getattr } for  pid=10183 comm="sshd" path="/home" dev=dm-0 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

        Was caused by:
                Missing type enforcement (TE) allow rule.

Not sure what to do with this information. Any help would be appreciated

Thanks

John VV 07-13-2013 06:14 PM

As per all the guides

set SE to permissive
then use "audit2alow" to write the SE rules
then set it back to "enforcing"

Quote:

Now, I can login as root without entering a password
PLEASE DO NOT DO THAT !!!!!!!!

you might as well UNINSTALL the SE kernel
and your firewall

you will not need them, because you just bypassed ALL THE SYSTEM SECURITY

Seattle98122 07-13-2013 07:06 PM

Solution, I think
 
After being prompted by @John VV, I did a little more reading and did the following:

Code:

[root@stanley ~]# audit2allow -a -M fixse
[root@stanley ~]# cat fixse.te

module fixse 1.0;

require {
        type ifconfig_t;
        type admin_home_t;
        type user_home_t;
        type sshd_t;
        type file_t;
        class lnk_file read;
        class dir { search getattr };
        class file read;
}

#============= ifconfig_t ==============
allow ifconfig_t user_home_t:lnk_file read;

#============= sshd_t ==============
allow sshd_t admin_home_t:file read;
allow sshd_t file_t:dir { search getattr };


I was not having problems with ifconfig, so I re-ran with audit2allow limiting it to sshd
(per RedHat docs https://docs.fedoraproject.org/en-US...dit2allow.html )

Code:

[root@stanley ~]# grep sshd /var/log/audit/audit.log | audit2allow -M allowsshd

[root@stanley ~]# cat allowsshd.te

module allowsshd 1.0;

require {
        type admin_home_t;
        type file_t;
        type sshd_t;
        class dir { search getattr };
        class file read;
}

#============= sshd_t ==============
allow sshd_t admin_home_t:file read;
allow sshd_t file_t:dir { search getattr };

Installed the selinux new module:

[root@stanley ~]# semodule -i allowsshd.pp


Temporarily reenabled selinux enforcement:

[root@stanley ~]# echo 1 > /selinux/enforce

Confirmed I can login as non-root user with certificate/ no password.

Finally, updated /etc/selinux/config with SELINUX=enforcing
and rebooted and confirmed I could still login as non-root user,
so that seems to solve it.


Final Questions:
  • Is this the right way to solve the problem?
  • Is the fact that I need to do this for certificate logins a bug in CentOS 6.4 and/or upstream?


Thanks

michelemase 04-14-2017 05:15 AM

2 commands to solve ssh login
 
For the ~/.ssh/authorized_keys in the user home the correct SE context should be:
Code:

unconfined_u:object_r:user_home_t:s0
Try this code:
Code:

#!/bin/bash
if /usr/sbin/getenforce 2>/dev/null|grep -q "Enforcing\|Permissive"
    then
        if [ $2 = "root" ]
            then
                if [ "$(stat .ssh/authorized_keys -c %C)" != "unconfined_u:object_r:ssh_home_t:s0" ]
                then
                    #chcon -R unconfined_u:object_r:home_root_t:s0 .ssh
                    chcon -R unconfined_u:object_r:ssh_home_t:s0 .ssh
                fi
            else
                if [ "$(stat .ssh/authorized_keys -c %C)" != "unconfined_u:object_r:user_home_t:s0" ]
                then
                chcon -R unconfined_u:object_r:user_home_t:s0 .ssh
                fi
        fi
 fi



All times are GMT -5. The time now is 12:46 PM.