Authenticate by libpam-mysql and libnss-mysql (CentOS)
- by Chris
I'm trying to get MySQL to function as a backend for authenticating users on CentOS 6.3. So far I have successfully installed and configured libnss-mysql. I can test this by doing:
# groups testuser
testuser : sftp
Testuser is a member of the sftp group in fact, all MySQL based useraccounts will be hardcoded to it. The sftp group is chrooted and forced to use internal-sftp so they cannot do anything but access their home directory.
Then I configured pam-mysql and PAM to allow mysql logins. This also works.. When SELinux is not enforcing.
When I do setenforce 1 users can no longer login. Error:
Permission denied, please try again.
This is my pam_mysql.conf file:
users.host=localhost
users.db_user=nss-pam-user
users.db_passwd=***********
users.database=sftpusers
users.table=users
users.user_column=username
users.password_column=password
users.password_crypt=6
verbose=1
My /etc/pam.d/sshd:
#%PAM-1.0
auth sufficient pam_sepermit.so
auth include password-auth
auth required pam_mysql.so config_file=/etc/pam_mysql.conf
account sufficient pam_nologin.so
account include password-auth
account required pam_mysql.so config_file=/etc/pam_mysql.conf
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
And to be complete the contents of some log files..
/var/logs/secure
Nov 20 14:52:20 hostname unix_chkpwd[4891]: check pass; user unknown
Nov 20 14:52:20 hostname unix_chkpwd[4891]: password check failed for user (testuser)
Nov 20 14:52:20 hostname sshd[4880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.107 user=testuser Nov 20 14:52:22 sftpusers sshd[4880]: Failed password for testuser from 192.168.10.107 port 51849 ssh2
/var/logs/audit/audit.log
type=USER_AUTH msg=audit(1353420107.070:812): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="testuser" exe="/usr/sbin/sshd" hostname=? addr=192.168.10.107 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1353420112.312:813): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="testuser" exe="/usr/sbin/sshd" hostname=192.168.10.107 addr=192.168.10.107 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1353420112.456:814): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="testuser" exe="/usr/sbin/sshd" hostname=? addr=192.168.10.107 terminal=ssh res=failed'
I tried to let audit2why explain the problem but it remains silent even though there are some errors.
Does anyone see the problem? Thanks!
EDIT: Turns out it's almost working with setenforce 0 I can mkdir foobar but if I do a single ls I get an error: Received message too long 16777216