I'm trying to use the SSH AuthorizedKeysCommand
in a CentOS 6.5 machine, but I'm encountering an SELinux error. When I switch SELinux to permissive mode – using setenforce 0
– it works, but when I turn SELinux back to enforcing, the command no longer works.
I get the following readout in my audit log (all one line):
type=AVC msg=audit(1404210795.382:917): avc: denied { execute } for pid=2924 comm="sshd"
name="get-keys" dev=dm-0 ino=167467 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
The SELinux policy for the get-keys
command was different before. I set it to the same settings as the sshd
command. I've also tried setting all SSH-relevant SELinux Booleans to true – all the ones I could find with grep
:
$ getsebool -a | grep ssh
allow_ssh_keysign --> on
fenced_can_ssh --> on
ssh_chroot_full_access --> on
ssh_chroot_manage_apache_content --> on
ssh_chroot_rw_homedirs --> on
ssh_sysadm_login --> on
/usr/bin/get-ssh-keys/
contains the get-keys
command. Here are the permissions for that directory:
$ ls -laZ /usr/bin/get-ssh-keys/
drwxr--r--. root root unconfined_u:object_r:etc_t:s0 .
dr-xr-xr-x. root root system_u:object_r:bin_t:s0 ..
-rwx--x--x. root root system_u:system_r:sshd_t:s0-s0:c0.c1023 get-keys
[...]
$ ls -laZ /usr/
drwxr-xr-x. root root system_u:object_r:usr_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
[...]
And here are the relevant /etc/ssh/sshd_config
settings:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysCommand /usr/bin/get-ssh-keys/get-keys
AuthorizedKeysCommandRunAs root
The get-keys
command is connecting over a socket to another server as well as writing to log files in /var/log/get-ssh-keys/error_log
. Maybe that's why SELinux is preventing access, but I don't think so.
Is there something plainly obvious I'm missing?
There's some confusion about the AuthorizedKeysCommand
. It doesn't actually read keys from the ~/.ssh/
directory. Instead, the AuthorizedKeysCommand
setting specifies a program that will print all keys for a given user to stdout as individual lines.
The command I've specified, get-keys
, works with SELinux set to permissive, but fails when set to enforcing.
I get prompted for a password with SELinux enforcing, but I'm allowed to log in using the keys the command retrieves with SELinux permissive.
Best Answer
Mate I'm sure you figured out already but just in case:
the tool will tell you what to do