Description of problem: I am ubale to log in to my system using password (logging using ssh public key is working). This message is in /var/log/secure: Jan 3 06:54:46 work sshd[4235]: error: Could not get shadow information for MYLOGIN Jan 3 06:54:46 work sshd[4235]: Failed password for MYLOGIN from 15.197.150.60 port 44933 ssh2 Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-72.fc8 How reproducible: always Steps to Reproduce: 1. setenforce 1 2. log in to your system without pubkey usage Actual results: Permission denied (publickey,password,keyboard-interactive). Expected results: log in Additional info: After using of "semodule -DB" "audit2allow -l -a" shows: allow sshd_t shadow_t:file { read getattr }; but I am ubable to allow this: libsepol.check_assertion_helper: neverallow violated by allow sshd_t shadow_t:file { read };
Do you have sshd setup to not use pam? sshd using pam does not need to read the shadow file directly, It uses a helper application to read the shadow file. Allowing sshd to read the shadow file directly is considered a potential security risk. If you use the interface auth_read_shadow(sshd_t) instead of the allow rule, the policy module should build and install.