我注意到在宽容模式下,基于 ssh 密钥的登录和 selinux 有一些奇怪的地方。
让我向您介绍设置:服务器是更新的 Centos 6.4 x86_64。
我们创建没有密码的用户(然后用户将被锁定):
# useradd testuser
# passwd -S testuser
testuser LK 2013-05-03 0 99999 7 -1 (Password locked.)
然后我们设置 ssh 密钥:
# install -d -m 700 -o testuser -g testuser /home/testuser/.ssh/
# install -m 600 -o testuser -g testuser /root/.ssh/id_rsa.pub /home/testuser/.ssh/authorized_keys
让我们检查一下selinux状态
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
然后让我们尝试以 testuser 身份登录:
# ssh testuser@localhost
Last login: Fri May 3 13:26:32 2013 from ::1
$
有用 !现在我们将 Selinux 设置为宽容模式
# setenforce 0
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
我们再次尝试登录:
# ssh testuser@localhost
testuser@localhost's password:
SSH 不接受密钥并要求输入密码!
问题:那是一个错误吗?
编辑:在 restorecon -Rv /home 之后,我有
$ ls -laZ ~/.ssh/
drwx------. user wheel unconfined_u:object_r:ssh_home_t:s0 ./
drwxr-x---. user wheel unconfined_u:object_r:user_home_dir_t:s0 ../
-rw-------. user wheel system_u:object_r:ssh_home_t:s0 authorized_keys
$ getsebool -a | grep 'ssh'
allow_ssh_keysign --> off
fenced_can_ssh --> off
ssh_chroot_full_access --> off
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off
编辑:这是 /var/log/secure 的内容
Jun 13 16:30:51 dhcp-240 sshd[13681]: User testuser not allowed because account is locked
Jun 13 16:30:51 dhcp-240 sshd[13682]: input_userauth_request: invalid user testuser