I'm trying to get MySQL to function as a backend for authenticating users on CentOS 6.3. So far I have successfully installed and configured libnss-mysql. I can test this by doing:
# groups testuser
testuser : sftp
Testuser is a member of the sftp group in fact, all MySQL based useraccounts will be hardcoded to it. The sftp group is chrooted and forced to use internal-sftp so they cannot do anything but access their home directory.
Then I configured pam-mysql and PAM to allow mysql logins. This also works.. When SELinux is not enforcing.
When I do setenforce 1 users can no longer login. Error:
Permission denied, please try again.
This is my pam_mysql.conf file:
users.host=localhost
users.db_user=nss-pam-user
users.db_passwd=***********
users.database=sftpusers
users.table=users
users.user_column=username
users.password_column=password
users.password_crypt=6
verbose=1
My /etc/pam.d/sshd:
#%PAM-1.0
auth sufficient pam_sepermit.so
auth include password-auth
auth required pam_mysql.so config_file=/etc/pam_mysql.conf
account sufficient pam_nologin.so
account include password-auth
account required pam_mysql.so config_file=/etc/pam_mysql.conf
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
And to be complete the contents of some log files..
/var/logs/secure
Nov 20 14:52:20 hostname unix_chkpwd[4891]: check pass; user unknown
Nov 20 14:52:20 hostname unix_chkpwd[4891]: password check failed for user (testuser)
Nov 20 14:52:20 hostname sshd[4880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.107 user=testuser Nov 20 14:52:22 sftpusers sshd[4880]: Failed password for testuser from 192.168.10.107 port 51849 ssh2
/var/logs/audit/audit.log
type=USER_AUTH msg=audit(1353420107.070:812): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="testuser" exe="/usr/sbin/sshd" hostname=? addr=192.168.10.107 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1353420112.312:813): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="testuser" exe="/usr/sbin/sshd" hostname=192.168.10.107 addr=192.168.10.107 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1353420112.456:814): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="testuser" exe="/usr/sbin/sshd" hostname=? addr=192.168.10.107 terminal=ssh res=failed'
I tried to let audit2why explain the problem but it remains silent even though there are some errors.
Does anyone see the problem? Thanks!
EDIT: Turns out it's almost working with setenforce 0 I can mkdir foobar but if I do a single ls I get an error: Received message too long 16777216
Best Answer
CentOS 6.3 ships with OpenSSH5.3p1, there is a known bug that prevents sftp from retrieving the groupnames of files, the result is that an error is thrown and the connection is closed whenever the ls command is given.
The solution is to download a more recent version of OpenSSH, I took 6.1p1 and build it from source.
Mostly I followed these instructions: http://kb.bobcares.com/?View=entry&EntryID=1059 , in my case libwrap was missing it had to be installed. I did:
Some other libs can be missing, after installing them I configured OpenSSH to enable SELinux, when you reach this step:
Do this instead:
Your default sshd_config file will change to the prefix location's:
After copying my existing config over that file (you could also alias them) my config magically started working!