Bug 519232
Summary: | strange behaviour pam_namespace with ssh | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dominick Grift <dominick.grift> |
Component: | pam | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-08-25 19:17:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dominick Grift
2009-08-25 18:31:30 UTC
erm, wrong description of how to reproduce. This actually happens when you restart sshd. so do 1. then do service sshd restart and try to login using ssh again. There is not quite enough info about how you configured pam_namespace. It is not a trivial task. You will also probably need some mount --make-rshared or similar calls if you want to share some mountpoints within namespaces. This is whats in my /etc/security/namesspace.conf /tmp /tmp-inst/ level root,adm /var/tmp /var/tmp-inst/ level root,adm $HOME $HOME/$USER.inst/ level root,adm i set "allow pam_namespace" selinux boolean to true. This is my /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth include system-auth auth required pam_tally2.so deny=5 onerr=fail account required pam_nologin.so account include system-auth account required pam_tally2.so password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session required pam_namespace.so session include system-auth I did not change anything else Please note that everything seems to work fine except: if i login using ssh it asks for my password instead of using pki (~/ssh/authorized_keys) This is when i am also logged in locally in gnome on that system) If i restart sshd, then it will log me in without prompting for my password. but ssh will create a new dir in my (already instantiated home dir) (In reply to comment #3) > > Please note that everything seems to work fine except: > > if i login using ssh it asks for my password instead of using pki > (~/ssh/authorized_keys) This is when i am also logged in locally in gnome on > that system) Yes, that's to be expected if you polyinstantiate the home directory because sshd does not know anything about polyinstatiation and it does not see the authorized_keys file inside the instance directory. So either do not polyinstantiate the home directory or copy the authorized_keys file to the original non-polyinstantiated home. > If i restart sshd, then it will log me in without prompting for my password. > but ssh will create a new dir in my (already instantiated home dir) I suppose you restart the sshd inside the polyinstantiated session - then again this is to be expected because you're creating instance inside another instance. Simply do not do that. |