Centos – Authenticate by libpam-thesql and libnss-thesql (CentOS)


I'm trying to get MySQL to function as a backend for authenticating users on CentOS 6.3. So far I have successfully installed and configured libnss-mysql. I can test this by doing:

# groups testuser
testuser : sftp

Testuser is a member of the sftp group in fact, all MySQL based useraccounts will be hardcoded to it. The sftp group is chrooted and forced to use internal-sftp so they cannot do anything but access their home directory.

Then I configured pam-mysql and PAM to allow mysql logins. This also works.. When SELinux is not enforcing.

When I do setenforce 1 users can no longer login. Error:

Permission denied, please try again.

This is my pam_mysql.conf file:


My /etc/pam.d/sshd:

auth       sufficient   pam_sepermit.so
auth       include      password-auth
auth       required     pam_mysql.so    config_file=/etc/pam_mysql.conf 
account    sufficient   pam_nologin.so
account    include      password-auth
account    required     pam_mysql.so    config_file=/etc/pam_mysql.conf 
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

And to be complete the contents of some log files..


Nov 20 14:52:20 hostname unix_chkpwd[4891]: check pass; user unknown
Nov 20 14:52:20 hostname unix_chkpwd[4891]: password check failed for user (testuser) 
Nov 20 14:52:20 hostname sshd[4880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=testuser Nov 20 14:52:22 sftpusers sshd[4880]: Failed password for testuser from port 51849 ssh2

type=USER_AUTH msg=audit(1353420107.070:812): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="testuser" exe="/usr/sbin/sshd" hostname=? addr= terminal=ssh res=failed'
type=USER_AUTH msg=audit(1353420112.312:813): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="testuser" exe="/usr/sbin/sshd" hostname= addr= terminal=ssh res=failed'
type=USER_AUTH msg=audit(1353420112.456:814): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="testuser" exe="/usr/sbin/sshd" hostname=? addr= terminal=ssh res=failed'

I tried to let audit2why explain the problem but it remains silent even though there are some errors.

Does anyone see the problem? Thanks!

EDIT: Turns out it's almost working with setenforce 0 I can mkdir foobar but if I do a single ls I get an error: Received message too long 16777216

Best Answer

CentOS 6.3 ships with OpenSSH5.3p1, there is a known bug that prevents sftp from retrieving the groupnames of files, the result is that an error is thrown and the connection is closed whenever the ls command is given.

The solution is to download a more recent version of OpenSSH, I took 6.1p1 and build it from source.

Mostly I followed these instructions: http://kb.bobcares.com/?View=entry&EntryID=1059 , in my case libwrap was missing it had to be installed. I did:

 yum install tcp_wrappers-devel

Some other libs can be missing, after installing them I configured OpenSSH to enable SELinux, when you reach this step:

./configure --prefix=/usr/local/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-kerberos5 --with-ssl-engine

Do this instead:

./configure --prefix=/usr/local/ssh --with-selinux --with-md5-passwords --with-pam --with-tcp-wrappers --with-kerberos5 --with-ssl-engine

Your default sshd_config file will change to the prefix location's:


After copying my existing config over that file (you could also alias them) my config magically started working!

Related Topic