LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-13-2013, 04:37 PM   #1
Seattle98122
LQ Newbie
 
Registered: Jul 2013
Distribution: CentOS
Posts: 2

Rep: Reputation: Disabled
SELinux preventing ssh login with ~/.ssh/authorized_keys


I want to be able to use ssh-keys to login to several CentOS servers.
This always worked fine with CentOS 5x, but causing me problems in CentOS 6.4

If I disable SELinux it works fine.
Following the suggestion on another thread I ran

Code:
[root@stanley etc]# restorecon -r -v -F /root/.ssh
restorecon reset /root/.ssh context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:ssh_home_t:s0
and
Code:
[fred@stanley ~]$ restorecon -r -v -F /home/fred/.ssh
restorecon reset /home/fred/.ssh context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/fred/.ssh/authorized_keys context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
and then reset SELinux to
Code:
SELINUX=enforcing
in /etc/selinux/config
and rebooted.

Now, I can login as root without entering a password, but user fred is still prompted.

I notice that the flags being set by restorecon are different for root and for fred, so my guess is that this is the problem. I don't know what these flags mean, or how to change them, so would appreciate help in sorting this out.

BTW: in general I want to disable ssh for root. Using root was just part of my troubleshooting.

Some additional info added after @JohnVV's comments:


After trying to login again as fred. I see this in /var/log/secure

Code:
Jul 14 13:30:03 stanley sshd[10183]: debug3: mm_answer_keyallowed entering
Jul 14 13:30:03 stanley sshd[10183]: debug3: mm_answer_keyallowed: key_from_blob: 0x7f29afe06d00
Jul 14 13:30:03 stanley sshd[10183]: debug1: temporarily_use_uid: 504/504 (e=0/0)
Jul 14 13:30:03 stanley sshd[10183]: debug1: trying public key file /home/fred/.ssh/authorized_keys
Jul 14 13:30:03 stanley sshd[10183]: debug1: fd 4 clearing O_NONBLOCK
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: checking '/home/fred/.ssh'
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: checking '/home/fred'
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: terminating check at '/home/fred'
Jul 14 13:30:03 stanley sshd[10183]: debug2: key not found
Then extracting the entries from the the audit log for process 10183
Code:
cat /var/log/audit/audit.log | audit2allow -w > ~/denied 
grep -A3 10183 ~/denied
I just get this:

Code:
type=AVC msg=audit(1373833803.504:926): avc:  denied  { search } for  pid=10183 comm="sshd" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

	Was caused by:
		Missing type enforcement (TE) allow rule.
--
type=AVC msg=audit(1373833803.505:927): avc:  denied  { getattr } for  pid=10183 comm="sshd" path="/home" dev=dm-0 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

	Was caused by:
		Missing type enforcement (TE) allow rule.
Not sure what to do with this information. Any help would be appreciated

Thanks

Last edited by Seattle98122; 07-14-2013 at 03:48 PM. Reason: added more information
 
Old 07-13-2013, 06:14 PM   #2
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,427

Rep: Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590
As per all the guides

set SE to permissive
then use "audit2alow" to write the SE rules
then set it back to "enforcing"

Quote:
Now, I can login as root without entering a password
PLEASE DO NOT DO THAT !!!!!!!!

you might as well UNINSTALL the SE kernel
and your firewall

you will not need them, because you just bypassed ALL THE SYSTEM SECURITY

Last edited by John VV; 07-13-2013 at 06:17 PM.
 
Old 07-13-2013, 07:06 PM   #3
Seattle98122
LQ Newbie
 
Registered: Jul 2013
Distribution: CentOS
Posts: 2

Original Poster
Rep: Reputation: Disabled
Solution, I think

After being prompted by @John VV, I did a little more reading and did the following:

Code:
[root@stanley ~]# audit2allow -a -M fixse 
[root@stanley ~]# cat fixse.te

module fixse 1.0;

require {
	type ifconfig_t;
	type admin_home_t;
	type user_home_t;
	type sshd_t;
	type file_t;
	class lnk_file read;
	class dir { search getattr };
	class file read;
}

#============= ifconfig_t ==============
allow ifconfig_t user_home_t:lnk_file read;

#============= sshd_t ==============
allow sshd_t admin_home_t:file read;
allow sshd_t file_t:dir { search getattr };

I was not having problems with ifconfig, so I re-ran with audit2allow limiting it to sshd
(per RedHat docs https://docs.fedoraproject.org/en-US...dit2allow.html )

Code:
[root@stanley ~]# grep sshd /var/log/audit/audit.log | audit2allow -M allowsshd

[root@stanley ~]# cat allowsshd.te

module allowsshd 1.0;

require {
	type admin_home_t;
	type file_t;
	type sshd_t;
	class dir { search getattr };
	class file read;
}

#============= sshd_t ==============
allow sshd_t admin_home_t:file read;
allow sshd_t file_t:dir { search getattr };
Installed the selinux new module:

[root@stanley ~]# semodule -i allowsshd.pp


Temporarily reenabled selinux enforcement:

[root@stanley ~]# echo 1 > /selinux/enforce

Confirmed I can login as non-root user with certificate/ no password.

Finally, updated /etc/selinux/config with SELINUX=enforcing
and rebooted and confirmed I could still login as non-root user,
so that seems to solve it.


Final Questions:
  • Is this the right way to solve the problem?
  • Is the fact that I need to do this for certificate logins a bug in CentOS 6.4 and/or upstream?


Thanks

Last edited by Seattle98122; 07-14-2013 at 04:58 PM. Reason: Maybe solved problem
 
Old 04-14-2017, 05:15 AM   #4
michelemase
LQ Newbie
 
Registered: Nov 2008
Posts: 3

Rep: Reputation: 0
2 commands to solve ssh login

For the ~/.ssh/authorized_keys in the user home the correct SE context should be:
Code:
unconfined_u:object_r:user_home_t:s0
Try this code:
Code:
#!/bin/bash
if /usr/sbin/getenforce 2>/dev/null|grep -q "Enforcing\|Permissive"
     then
         if [ $2 = "root" ]
             then
                 if [ "$(stat .ssh/authorized_keys -c %C)" != "unconfined_u:object_r:ssh_home_t:s0" ]
                 then
                     #chcon -R unconfined_u:object_r:home_root_t:s0 .ssh
                     chcon -R unconfined_u:object_r:ssh_home_t:s0 .ssh
                 fi
             else
                 if [ "$(stat .ssh/authorized_keys -c %C)" != "unconfined_u:object_r:user_home_t:s0" ]
                 then
                 chcon -R unconfined_u:object_r:user_home_t:s0 .ssh
                 fi
        fi
 fi
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Difference between .ssh/known_hosts and .ssh/authorized_keys shivaa Linux - Newbie 7 10-30-2012 12:54 PM
SSH authorized_keys Global Include benjam1nrk Linux - Newbie 2 04-22-2010 07:27 PM
using root with ssh 'command=' and authorized_keys hank43 Linux - Security 1 09-11-2006 05:51 AM
Problem with ssh and authorized_keys... gruell Linux - Security 5 02-01-2006 03:40 PM
ssh users and authorized_keys ifm Linux - Security 3 06-12-2002 08:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration