Authenticate by libpam-mysql and libnss-mysql (CentOS)

Posted by Chris on Server Fault See other posts from Server Fault or by Chris
Published on 2012-11-22T20:41:00Z Indexed on 2014/06/10 9:27 UTC
Read the original article Hit count: 383

Filed under:
|
|
|
|

I'm trying to get MySQL to function as a backend for authenticating users on CentOS 6.3. So far I have successfully installed and configured libnss-mysql. I can test this by doing:

# groups testuser
testuser : sftp

Testuser is a member of the sftp group in fact, all MySQL based useraccounts will be hardcoded to it. The sftp group is chrooted and forced to use internal-sftp so they cannot do anything but access their home directory.

Then I configured pam-mysql and PAM to allow mysql logins. This also works.. When SELinux is not enforcing.

When I do setenforce 1 users can no longer login. Error:

Permission denied, please try again.

This is my pam_mysql.conf file:

users.host=localhost
users.db_user=nss-pam-user
users.db_passwd=***********
users.database=sftpusers
users.table=users
users.user_column=username
users.password_column=password
users.password_crypt=6
verbose=1

My /etc/pam.d/sshd:

#%PAM-1.0
auth       sufficient   pam_sepermit.so
auth       include      password-auth
auth       required     pam_mysql.so    config_file=/etc/pam_mysql.conf 
account    sufficient   pam_nologin.so
account    include      password-auth
account    required     pam_mysql.so    config_file=/etc/pam_mysql.conf 
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

And to be complete the contents of some log files..

/var/logs/secure

Nov 20 14:52:20 hostname unix_chkpwd[4891]: check pass; user unknown
Nov 20 14:52:20 hostname unix_chkpwd[4891]: password check failed for user (testuser) 
Nov 20 14:52:20 hostname sshd[4880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.107  user=testuser Nov 20 14:52:22 sftpusers sshd[4880]: Failed password for testuser from 192.168.10.107 port 51849 ssh2

/var/logs/audit/audit.log
type=USER_AUTH msg=audit(1353420107.070:812): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="testuser" exe="/usr/sbin/sshd" hostname=? addr=192.168.10.107 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1353420112.312:813): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="testuser" exe="/usr/sbin/sshd" hostname=192.168.10.107 addr=192.168.10.107 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1353420112.456:814): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="testuser" exe="/usr/sbin/sshd" hostname=? addr=192.168.10.107 terminal=ssh res=failed'

I tried to let audit2why explain the problem but it remains silent even though there are some errors.

Does anyone see the problem? Thanks!

EDIT: Turns out it's almost working with setenforce 0 I can mkdir foobar but if I do a single ls I get an error: Received message too long 16777216

© Server Fault or respective owner

Related posts about mysql

Related posts about centos