Cannot login using ssh when UsePAM is disabled and SELinux is on

Solution Verified - Updated -

Issue

  • On Red Hat Enterprise Linux 6, ssh login is not possible if 'UsePAM' is set to 'NO' and selinux is on.
  • Cannot login using ssh when UsePAM is disabled and selinux is on.

Tracing of sshd shows:

5490  read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1552
5490  close(4)                          = 0
5490  munmap(0xb75fd000, 4096)          = 0
5490  open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
5490  stat64("/bin/bash", {st_mode=S_IFREG|0755, st_size=877480, ...}) = 0
5490  write(6, "\0\0)\217\10", 5 <unfinished ...>
5491  <... read resumed> "\0\0)\217", 4) = 4

/var/log/secure :

Feb  8 12:41:15 example.com sshd[5483]: error: Could not get shadow information for root
Feb  8 12:41:15 example.com sshd[5483]: Failed password for root from 192.168.1.1 port 41423 ssh2
Feb  8 12:41:17 example.com sshd[5483]: Failed password for root from 192.168.1.2 port 41423 ssh2

/var/log/audit/audit.log :

type=AVC msg=audit(1297958384.484:13923): avc:  denied  { read } for  pid=5219 comm="sshd" name="shadow" dev=dm-0 ino=4115 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file

Environment

  • Red Hat Enterprise linux 6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In