SELinux preventing ssh login with ~/.ssh/authorized_keys

Seattle98122 · 07-13-2013, 04:37 PM

I want to be able to use ssh-keys to login to several CentOS servers.
This always worked fine with CentOS 5x, but causing me problems in CentOS 6.4

If I disable SELinux it works fine.
Following the suggestion on another thread I ran

Code:

[root@stanley etc]# restorecon -r -v -F /root/.ssh
restorecon reset /root/.ssh context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:ssh_home_t:s0

and

Code:

[fred@stanley ~]$ restorecon -r -v -F /home/fred/.ssh
restorecon reset /home/fred/.ssh context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/fred/.ssh/authorized_keys context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:ssh_home_t:s0

and then reset SELinux to

Code:

SELINUX=enforcing

in /etc/selinux/config
and rebooted.

Now, I can login as root without entering a password, but user fred is still prompted.

I notice that the flags being set by restorecon are different for root and for fred, so my guess is that this is the problem. I don't know what these flags mean, or how to change them, so would appreciate help in sorting this out.

BTW: in general I want to disable ssh for root. Using root was just part of my troubleshooting.

Some additional info added after @JohnVV's comments:

After trying to login again as fred. I see this in /var/log/secure

Code:

Jul 14 13:30:03 stanley sshd[10183]: debug3: mm_answer_keyallowed entering
Jul 14 13:30:03 stanley sshd[10183]: debug3: mm_answer_keyallowed: key_from_blob: 0x7f29afe06d00
Jul 14 13:30:03 stanley sshd[10183]: debug1: temporarily_use_uid: 504/504 (e=0/0)
Jul 14 13:30:03 stanley sshd[10183]: debug1: trying public key file /home/fred/.ssh/authorized_keys
Jul 14 13:30:03 stanley sshd[10183]: debug1: fd 4 clearing O_NONBLOCK
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: checking '/home/fred/.ssh'
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: checking '/home/fred'
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: terminating check at '/home/fred'
Jul 14 13:30:03 stanley sshd[10183]: debug2: key not found

Then extracting the entries from the the audit log for process 10183

Code:

cat /var/log/audit/audit.log | audit2allow -w > ~/denied 
grep -A3 10183 ~/denied

I just get this:

Code:

type=AVC msg=audit(1373833803.504:926): avc:  denied  { search } for  pid=10183 comm="sshd" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

	Was caused by:
		Missing type enforcement (TE) allow rule.
--
type=AVC msg=audit(1373833803.505:927): avc:  denied  { getattr } for  pid=10183 comm="sshd" path="/home" dev=dm-0 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

	Was caused by:
		Missing type enforcement (TE) allow rule.

Not sure what to do with this information. Any help would be appreciated

Thanks

John VV · 07-13-2013, 06:14 PM

As per all the guides

set SE to permissive
then use "audit2alow" to write the SE rules
then set it back to "enforcing"

Quote:

Now, I can login as root without entering a password

PLEASE DO NOT DO THAT !!!!!!!!

you might as well UNINSTALL the SE kernel
and your firewall

you will not need them, because you just bypassed ALL THE SYSTEM SECURITY

Seattle98122 · 07-13-2013, 07:06 PM

After being prompted by @John VV, I did a little more reading and did the following:

Code:

[root@stanley ~]# audit2allow -a -M fixse 
[root@stanley ~]# cat fixse.te

module fixse 1.0;

require {
	type ifconfig_t;
	type admin_home_t;
	type user_home_t;
	type sshd_t;
	type file_t;
	class lnk_file read;
	class dir { search getattr };
	class file read;
}

#============= ifconfig_t ==============
allow ifconfig_t user_home_t:lnk_file read;

#============= sshd_t ==============
allow sshd_t admin_home_t:file read;
allow sshd_t file_t:dir { search getattr };

I was not having problems with ifconfig, so I re-ran with audit2allow limiting it to sshd
(per RedHat docs https://docs.fedoraproject.org/en-US...dit2allow.html )

Code:

[root@stanley ~]# grep sshd /var/log/audit/audit.log | audit2allow -M allowsshd

[root@stanley ~]# cat allowsshd.te

module allowsshd 1.0;

require {
	type admin_home_t;
	type file_t;
	type sshd_t;
	class dir { search getattr };
	class file read;
}

#============= sshd_t ==============
allow sshd_t admin_home_t:file read;
allow sshd_t file_t:dir { search getattr };

Installed the selinux new module:

[root@stanley ~]# semodule -i allowsshd.pp

Temporarily reenabled selinux enforcement:

[root@stanley ~]# echo 1 > /selinux/enforce

Confirmed I can login as non-root user with certificate/ no password.

Finally, updated /etc/selinux/config with SELINUX=enforcing
and rebooted and confirmed I could still login as non-root user,
so that seems to solve it.

Final Questions:

Is this the right way to solve the problem?
Is the fact that I need to do this for certificate logins a bug in CentOS 6.4 and/or upstream?

Thanks

michelemase · 04-14-2017, 05:15 AM

For the ~/.ssh/authorized_keys in the user home the correct SE context should be:

Code:

unconfined_u:object_r:user_home_t:s0

Try this code:

Code:

#!/bin/bash
if /usr/sbin/getenforce 2>/dev/null|grep -q "Enforcing\|Permissive"
     then
         if [ $2 = "root" ]
             then
                 if [ "$(stat .ssh/authorized_keys -c %C)" != "unconfined_u:object_r:ssh_home_t:s0" ]
                 then
                     #chcon -R unconfined_u:object_r:home_root_t:s0 .ssh
                     chcon -R unconfined_u:object_r:ssh_home_t:s0 .ssh
                 fi
             else
                 if [ "$(stat .ssh/authorized_keys -c %C)" != "unconfined_u:object_r:user_home_t:s0" ]
                 then
                 chcon -R unconfined_u:object_r:user_home_t:s0 .ssh
                 fi
        fi
 fi