selinux don't let login with rsa key if user's home not in /home
selinux don't let login with rsa key if user's home not in /home
I can log in by rsa key as root, as user with home at /home, but if user's home directory is in the other place, I can log in only by password
if to disable selinux key works
How to fix it with selinux enabled?
if to disable selinux key works
How to fix it with selinux enabled?
Re: selinux don't let login with rsa key if user's home not in /home
[quote]borispr wrote:
I can log in by rsa key as root, [/quote]
Note denying root login over any network and using DSA pubkey auth are SSH best practices.
[quote]borispr wrote:
(..) if user's home directory is in the other place, I can log in only by password
if to disable selinux key works
How to fix it with selinux enabled?[/quote]
- Is this a regular unprivileged user account created through groupadd / useradd?
- What's the /etc/passwd line for this user?
- What does 'restorecon -fnv /home/of/user' return?
- What does 'grep /home/of/user /var/log/{messages,secure} /var/log/audit/audit.log' return?
I can log in by rsa key as root, [/quote]
Note denying root login over any network and using DSA pubkey auth are SSH best practices.
[quote]borispr wrote:
(..) if user's home directory is in the other place, I can log in only by password
if to disable selinux key works
How to fix it with selinux enabled?[/quote]
- Is this a regular unprivileged user account created through groupadd / useradd?
- What's the /etc/passwd line for this user?
- What does 'restorecon -fnv /home/of/user' return?
- What does 'grep /home/of/user /var/log/{messages,secure} /var/log/audit/audit.log' return?
Re: selinux don't let login with rsa key if user's home not in /home
[quote]Note denying root login over any network and using DSA pubkey auth are SSH best practices.[/quote]
this is internal system and I just checked because root's home not in /home
[quote]- Is this a regular unprivileged user account created through groupadd / useradd?[/quote]
yes
[quote]- What's the /etc/passwd line for this user?[/quote]
rarus:x:501:501::/data/home/rarus:/bin/bash
[quote]- What does 'restorecon -fnv /home/of/user' return?[/quote]
yum mean -Fnv?
restorecon reset /data/home/rarus context unconfined_u:object_r:file_t:s0->system_u:object_r:default_t:s0
[quote]- What does 'grep /home/of/user /var/log/{messages,secure} /var/log/audit/audit.log' return?[/quote]
/var/log/messages - nothing
/var/log/secure - "Connection closed by 127.0.0.1" (I did not enter password)
audit.log
[quote]
type=AVC msg=audit(1377432362.509:7260): avc: denied { search } for pid=6818 comm="sshd" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1377432362.509:7260): arch=c000003e syscall=2 success=no exit=-13 a0=7f9e155bac50 a1=800 a2=1 a3=27 items=0 ppid=1771 pid=6818 auid=4294967295 uid=0 gid=0 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1377432362.509:7261): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="rarus" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1377432363.745:7262): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=6819 suid=74 rport=58203 laddr=127.0.0.1 lport=22 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_ERR msg=audit(1377432363.746:7263): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=plda-ts addr=127.0.0.1 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1377432363.746:7264): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=76:39:4d:71:cc:9b:29:d3:a7:20:01:0f:9a:20:2b:35 direction=? spid=6818 suid=0 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1377432363.746:7265): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ab:b3:d1:d5:69:48:44:50:b3:38:7f:92:a6:e5:5b:9b direction=? spid=6818 suid=0 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_LOGIN msg=audit(1377432363.746:7266): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="rarus" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
[/quote]
this is internal system and I just checked because root's home not in /home
[quote]- Is this a regular unprivileged user account created through groupadd / useradd?[/quote]
yes
[quote]- What's the /etc/passwd line for this user?[/quote]
rarus:x:501:501::/data/home/rarus:/bin/bash
[quote]- What does 'restorecon -fnv /home/of/user' return?[/quote]
yum mean -Fnv?
restorecon reset /data/home/rarus context unconfined_u:object_r:file_t:s0->system_u:object_r:default_t:s0
[quote]- What does 'grep /home/of/user /var/log/{messages,secure} /var/log/audit/audit.log' return?[/quote]
/var/log/messages - nothing
/var/log/secure - "Connection closed by 127.0.0.1" (I did not enter password)
audit.log
[quote]
type=AVC msg=audit(1377432362.509:7260): avc: denied { search } for pid=6818 comm="sshd" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1377432362.509:7260): arch=c000003e syscall=2 success=no exit=-13 a0=7f9e155bac50 a1=800 a2=1 a3=27 items=0 ppid=1771 pid=6818 auid=4294967295 uid=0 gid=0 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1377432362.509:7261): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="rarus" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1377432363.745:7262): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=6819 suid=74 rport=58203 laddr=127.0.0.1 lport=22 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_ERR msg=audit(1377432363.746:7263): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=plda-ts addr=127.0.0.1 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1377432363.746:7264): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=76:39:4d:71:cc:9b:29:d3:a7:20:01:0f:9a:20:2b:35 direction=? spid=6818 suid=0 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1377432363.746:7265): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ab:b3:d1:d5:69:48:44:50:b3:38:7f:92:a6:e5:5b:9b direction=? spid=6818 suid=0 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_LOGIN msg=audit(1377432363.746:7266): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="rarus" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
[/quote]
selinux don't let login with rsa key if user's home not in /
Try adding the expected context to the directory, should look something like [code]semanage fcontext -a -t user_home_dir_t /data/home/[^/]*/.+[/code] and then restorecon it?
Re: selinux don't let login with rsa key if user's home not in /home
did not help
also lost ability to log in via key to users with home in /home
seems easier disable selinux
also lost ability to log in via key to users with home in /home
seems easier disable selinux
Re: selinux don't let login with rsa key if user's home not in /home
[quote]
borispr wrote:
did not help
also lost ability to log in via key to users with home in /home[/quote]
Instead post the commands you ran, with the arguments and output from checking changes. You'll find custom file contexts in /etc/selinux/%{POLICY_NAME}/contexts/files/ BTW.
[quote]
borispr wrote:
seems easier disable selinux[/quote]
It's equally valid to argue that it seems easier to adhere to standards. After all there's a reason why unprivileged users homes reside in /home. Sure disabling SElinux is your choice but it weakens the machines security posture and on top of that teaches you nothing at all...
borispr wrote:
did not help
also lost ability to log in via key to users with home in /home[/quote]
Instead post the commands you ran, with the arguments and output from checking changes. You'll find custom file contexts in /etc/selinux/%{POLICY_NAME}/contexts/files/ BTW.
[quote]
borispr wrote:
seems easier disable selinux[/quote]
It's equally valid to argue that it seems easier to adhere to standards. After all there's a reason why unprivileged users homes reside in /home. Sure disabling SElinux is your choice but it weakens the machines security posture and on top of that teaches you nothing at all...
Re: selinux don't let login with rsa key if user's home not in /home
Here is the answer
to fix login for users with home in /home:
[code]semanage fcontext -at home_root_t /home
semanage fcontext -at user_home_dir_t /home/user
semanage fcontext -at ssh_home_t /home/user/.ssh
semanage fcontext -at ssh_home_t /home/user/.ssh/authorized_keys
restorecon -Rv /home
[/code]
for users in /data/home
first line because /data is separate file system (without it still did not work)
[code]
semanage fcontext -at root_t /data
semanage fcontext -at home_root_t /data/home
semanage fcontext -at user_home_dir_t /data/home/rarus/
semanage fcontext -at ssh_home_t /data/home/rarus/.ssh/
semanage fcontext -at ssh_home_t /data/home/rarus/.ssh/authorized_keys
restorecon -Rv /data/home
[/code]
to fix login for users with home in /home:
[code]semanage fcontext -at home_root_t /home
semanage fcontext -at user_home_dir_t /home/user
semanage fcontext -at ssh_home_t /home/user/.ssh
semanage fcontext -at ssh_home_t /home/user/.ssh/authorized_keys
restorecon -Rv /home
[/code]
for users in /data/home
first line because /data is separate file system (without it still did not work)
[code]
semanage fcontext -at root_t /data
semanage fcontext -at home_root_t /data/home
semanage fcontext -at user_home_dir_t /data/home/rarus/
semanage fcontext -at ssh_home_t /data/home/rarus/.ssh/
semanage fcontext -at ssh_home_t /data/home/rarus/.ssh/authorized_keys
restorecon -Rv /data/home
[/code]
Re: selinux don't let login with rsa key if user's home not in /home
correction: context of user's home directory should be home_user_t not home_user_dir_t