I noticed something weird regarding ssh key based login and selinux in permissive mode.
Let me introduce you the setup:
The server is an updated Centos 6.4 x86_64.
We create user without a password (the user will then be locked):
# useradd testuser
# passwd -S testuser
testuser LK 2013-05-03 0 99999 7 -1 (Password locked.)
Then we setup the ssh keys:
# install -d -m 700 -o testuser -g testuser /home/testuser/.ssh/
# install -m 600 -o testuser -g testuser /root/.ssh/id_rsa.pub /home/testuser/.ssh/authorized_keys
Let's check the selinux status
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Then let's try to log in as testuser:
# ssh testuser@localhost
Last login: Fri May 3 13:26:32 2013 from ::1
$
It works !
Now we set Selinux to the permissive mode
# setenforce 0
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
And we try to log again:
# ssh testuser@localhost
testuser@localhost's password:
SSH doesn't accept the key and asks for a password !
Question: Is that a bug ?
EDIT: After restorecon -Rv /home, I have
$ ls -laZ ~/.ssh/
drwx------. user wheel unconfined_u:object_r:ssh_home_t:s0 ./
drwxr-x---. user wheel unconfined_u:object_r:user_home_dir_t:s0 ../
-rw-------. user wheel system_u:object_r:ssh_home_t:s0 authorized_keys
$ getsebool -a | grep 'ssh'
allow_ssh_keysign --> off
fenced_can_ssh --> off
ssh_chroot_full_access --> off
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off
EDIT:
Here is the content of /var/log/secure
Jun 13 16:30:51 dhcp-240 sshd[13681]: User testuser not allowed because account is locked
Jun 13 16:30:51 dhcp-240 sshd[13682]: input_userauth_request: invalid user testuser
Best Answer
So, I found the problem. It seems to be indeed a configuration problem.
If the sshd_config contains the directive
UsePAM no
then the ssh daemon doesn't accept the user key and ask for a password.With
UsePAM yes
the login via keys is working in all cases (SELINUX permissive or enforced, user account locked or not)