Cannot login using ssh when UsePAM is disabled and SELinux is on

Solution Verified - Updated -

Issue

  • On Red Hat Enterprise Linux 6, ssh login is not possible if 'UsePAM' is set to 'NO' and selinux is on.
  • Cannot login using ssh when UsePAM is disabled and selinux is on.

Tracing of sshd shows:

5490  read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1552
5490  close(4)                          = 0
5490  munmap(0xb75fd000, 4096)          = 0
5490  open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
5490  stat64("/bin/bash", {st_mode=S_IFREG|0755, st_size=877480, ...}) = 0
5490  write(6, "\0\0)\217\10", 5 <unfinished ...>
5491  <... read resumed> "\0\0)\217", 4) = 4

/var/log/secure :

Feb  8 12:41:15 example.com sshd[5483]: error: Could not get shadow information for root
Feb  8 12:41:15 example.com sshd[5483]: Failed password for root from 192.168.1.1 port 41423 ssh2
Feb  8 12:41:17 example.com sshd[5483]: Failed password for root from 192.168.1.2 port 41423 ssh2

/var/log/audit/audit.log :

type=AVC msg=audit(1297958384.484:13923): avc:  denied  { read } for  pid=5219 comm="sshd" name="shadow" dev=dm-0 ino=4115 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file

Environment

  • Red Hat Enterprise linux 6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.