Selinux in permissive mode, ssh key based auth and locked account

centos6selinuxssh-keys

I noticed something weird regarding ssh key based login and selinux in permissive mode.

Let me introduce you the setup:
The server is an updated Centos 6.4 x86_64.

We create user without a password (the user will then be locked):

# useradd testuser
# passwd -S testuser
testuser LK 2013-05-03 0 99999 7 -1 (Password locked.)

Then we setup the ssh keys:

# install -d -m 700 -o testuser -g testuser /home/testuser/.ssh/
# install -m 600 -o testuser -g testuser /root/.ssh/id_rsa.pub /home/testuser/.ssh/authorized_keys

Let's check the selinux status

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Then let's try to log in as testuser:

# ssh testuser@localhost
Last login: Fri May  3 13:26:32 2013 from ::1
$

It works !
Now we set Selinux to the permissive mode

# setenforce 0
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

And we try to log again:

# ssh testuser@localhost
testuser@localhost's password:

SSH doesn't accept the key and asks for a password !

Question: Is that a bug ?

EDIT: After restorecon -Rv /home, I have

$ ls -laZ ~/.ssh/
drwx------. user wheel unconfined_u:object_r:ssh_home_t:s0 ./
drwxr-x---. user wheel unconfined_u:object_r:user_home_dir_t:s0 ../
-rw-------. user wheel system_u:object_r:ssh_home_t:s0  authorized_keys

$ getsebool -a | grep 'ssh'
allow_ssh_keysign --> off
fenced_can_ssh --> off
ssh_chroot_full_access --> off
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off

EDIT:
Here is the content of /var/log/secure

Jun 13 16:30:51 dhcp-240 sshd[13681]: User testuser not allowed because account is locked
Jun 13 16:30:51 dhcp-240 sshd[13682]: input_userauth_request: invalid user testuser

Best Answer

So, I found the problem. It seems to be indeed a configuration problem.

If the sshd_config contains the directive UsePAM no then the ssh daemon doesn't accept the user key and ask for a password.

With UsePAM yes the login via keys is working in all cases (SELINUX permissive or enforced, user account locked or not)

Related Topic