selinux don't let login with rsa key if user's home not in /home

Support for security such as Firewalls and securing linux
Post Reply
borispr
Posts: 15
Joined: 2007/06/07 08:24:57

selinux don't let login with rsa key if user's home not in /home

Post by borispr » 2013/08/24 19:11:33

I can log in by rsa key as root, as user with home at /home, but if user's home directory is in the other place, I can log in only by password
if to disable selinux key works
How to fix it with selinux enabled?

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: selinux don't let login with rsa key if user's home not in /home

Post by unspawn » 2013/08/25 10:28:46

[quote]borispr wrote:
I can log in by rsa key as root, [/quote]
Note denying root login over any network and using DSA pubkey auth are SSH best practices.


[quote]borispr wrote:
(..) if user's home directory is in the other place, I can log in only by password
if to disable selinux key works
How to fix it with selinux enabled?[/quote]
- Is this a regular unprivileged user account created through groupadd / useradd?
- What's the /etc/passwd line for this user?
- What does 'restorecon -fnv /home/of/user' return?
- What does 'grep /home/of/user /var/log/{messages,secure} /var/log/audit/audit.log' return?

borispr
Posts: 15
Joined: 2007/06/07 08:24:57

Re: selinux don't let login with rsa key if user's home not in /home

Post by borispr » 2013/08/25 12:15:59

[quote]Note denying root login over any network and using DSA pubkey auth are SSH best practices.[/quote]
this is internal system and I just checked because root's home not in /home


[quote]- Is this a regular unprivileged user account created through groupadd / useradd?[/quote]
yes

[quote]- What's the /etc/passwd line for this user?[/quote]
rarus:x:501:501::/data/home/rarus:/bin/bash

[quote]- What does 'restorecon -fnv /home/of/user' return?[/quote]
yum mean -Fnv?
restorecon reset /data/home/rarus context unconfined_u:object_r:file_t:s0->system_u:object_r:default_t:s0

[quote]- What does 'grep /home/of/user /var/log/{messages,secure} /var/log/audit/audit.log' return?[/quote]
/var/log/messages - nothing
/var/log/secure - "Connection closed by 127.0.0.1" (I did not enter password)
audit.log
[quote]
type=AVC msg=audit(1377432362.509:7260): avc: denied { search } for pid=6818 comm="sshd" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1377432362.509:7260): arch=c000003e syscall=2 success=no exit=-13 a0=7f9e155bac50 a1=800 a2=1 a3=27 items=0 ppid=1771 pid=6818 auid=4294967295 uid=0 gid=0 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1377432362.509:7261): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="rarus" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1377432363.745:7262): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=6819 suid=74 rport=58203 laddr=127.0.0.1 lport=22 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_ERR msg=audit(1377432363.746:7263): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=plda-ts addr=127.0.0.1 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1377432363.746:7264): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=76:39:4d:71:cc:9b:29:d3:a7:20:01:0f:9a:20:2b:35 direction=? spid=6818 suid=0 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1377432363.746:7265): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ab:b3:d1:d5:69:48:44:50:b3:38:7f:92:a6:e5:5b:9b direction=? spid=6818 suid=0 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_LOGIN msg=audit(1377432363.746:7266): user pid=6818 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="rarus" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
[/quote]

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

selinux don't let login with rsa key if user's home not in /

Post by unspawn » 2013/08/25 12:57:24

Try adding the expected context to the directory, should look something like [code]semanage fcontext -a -t user_home_dir_t /data/home/[^/]*/.+[/code] and then restorecon it?

borispr
Posts: 15
Joined: 2007/06/07 08:24:57

Re: selinux don't let login with rsa key if user's home not in /home

Post by borispr » 2013/08/25 17:48:21

did not help
also lost ability to log in via key to users with home in /home

seems easier disable selinux

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: selinux don't let login with rsa key if user's home not in /home

Post by unspawn » 2013/08/25 19:28:51

[quote]
borispr wrote:
did not help
also lost ability to log in via key to users with home in /home[/quote]
Instead post the commands you ran, with the arguments and output from checking changes. You'll find custom file contexts in /etc/selinux/%{POLICY_NAME}/contexts/files/ BTW.


[quote]
borispr wrote:
seems easier disable selinux[/quote]
It's equally valid to argue that it seems easier to adhere to standards. After all there's a reason why unprivileged users homes reside in /home. Sure disabling SElinux is your choice but it weakens the machines security posture and on top of that teaches you nothing at all...

borispr
Posts: 15
Joined: 2007/06/07 08:24:57

Re: selinux don't let login with rsa key if user's home not in /home

Post by borispr » 2013/08/25 21:10:39

Here is the answer

to fix login for users with home in /home:
[code]semanage fcontext -at home_root_t /home
semanage fcontext -at user_home_dir_t /home/user
semanage fcontext -at ssh_home_t /home/user/.ssh
semanage fcontext -at ssh_home_t /home/user/.ssh/authorized_keys
restorecon -Rv /home
[/code]

for users in /data/home
first line because /data is separate file system (without it still did not work)
[code]
semanage fcontext -at root_t /data
semanage fcontext -at home_root_t /data/home
semanage fcontext -at user_home_dir_t /data/home/rarus/
semanage fcontext -at ssh_home_t /data/home/rarus/.ssh/
semanage fcontext -at ssh_home_t /data/home/rarus/.ssh/authorized_keys
restorecon -Rv /data/home
[/code]

borispr
Posts: 15
Joined: 2007/06/07 08:24:57

Re: selinux don't let login with rsa key if user's home not in /home

Post by borispr » 2013/08/26 09:33:52

correction: context of user's home directory should be home_user_t not home_user_dir_t

Post Reply

Return to “CentOS 6 - Security Support”