一直是使用ssh免密登陆,今天碰到了一件事情ssh免密登陆失败的问题。各种检查权限、key等等都没有问题。最后定位是selinux的问题。首先介绍一些何为selinux。
SElinux 全称为 Security Enhanced
Linux,安全强化Linux,是Mandatory Access
Control(Mac 强访问控制系统)的一个实现,目的在于明确系统中某个进程可以访问哪些资源。
1.获取当前系统SELinux的运行状态
getenforce
返回结果有三种:Enforcing,Permissive,Disabled。Disabled表示SELinux被仅用,Permissive表示记录安全警告但是不阻止可以行为,Enforcing表示记录警告并且组织可疑行为。
2、修改SELinux的运行状态
setenforcing 1//启动
Enforcing
setenforcing 0//设为Permissive
,宽容状态
好了,言归正传,查看了一下服务器上authorized_keys文件的SELinux的content内容
ls -lZ
~/.ssh/authorized_keys
-rw-------. user00 user00 unconfined_u:object_r:default_t:s0
authorized_keys
从default_t看来,这个文件在SELinux开启的时候,会阻止sshd访问的,所以到导致免密登陆失败。
Thedefault_ttype is used on files that do not match any
pattern in file-context configuration, so that such files can be
distinguished from files that do not have a context on disk, and
generally are kept inaccessible to confined domains.
关于defalut_t的描述相见:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html
tail -f /var/log/messages
SELinux is preventing /usr/sbin/sshd from read access on the file
authorized_keys. For complete SELinux messages. run sealert -l
a14e434d-e649-443d-bd2e-2228b0262a6d
另外在/var/log/audit/audit.log
中会爆出:type=AVC
msg=audit(1508813825.775:5620): avc:
denied
{ read } for
pid=18600 comm="sshd" name="authorized_keys" dev="sda1" ino=2698667
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:default_t:s0
tclass=file
可以看到正确的SELinux的配置信息应该是scontext后面的那部分,而authorized_keys的配置信息确实tcontext后面的那部分。随意SELinux阻止了sshd的访问。
所以现在要修改authorized_keys文件的SELinux的上下文信息。如何修改直接贴代码了:
As the Linux root user, run the touch
/etc/file1 command to create a new file. By
default, newly-created files in the /etc/ directory are labeled with
the etc_t type:
~]# ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
Use the ls -dZ directory_name command
to list information about a directory.
As the Linux root user, run the semanage fcontext -a -t samba_share_t
/etc/file1 command to change
the file1 type
to samba_share_t.
The -a option adds
a new record, and the -t option
defines a type (samba_share_t).
Note that running this command does not directly change the
type; file1 is still labeled with
the etc_t type:
~]# semanage fcontext -a -t samba_share_t /etc/file1
~]# ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
The semanage fcontext -a
-t samba_share_t /etc/file1 command adds
the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local:
/etc/file1 unconfined_u:object_r:samba_share_t:s0
As the Linux root user, run the restorecon -v /etc/file1 command to
change the type. Because the semanage command added an entry
to file_contexts.local for /etc/file1, the restoreconcommand changes the type
to samba_share_t:
~]# restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
代码连接:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html
按照上述方法将authorized_keys文件的SELinux内容改成
unconfined_u:object_r:ssh_home_t:s0 问题完美解决。