Red Hat Bugzilla – Bug 519232
strange behaviour pam_namespace with ssh
Last modified: 2009-08-25 15:17:27 EDT
Description of problem:
I use pam namespace and ssh. If i am logged into a gnome session and also try to login from remote using ssh then ssh cannot find ~/.ssh/authorized_keys. ssh prompts for a password.
If i am not logged into a gnome session and i try to log in from a remote session using ssh then ssh *can* find ~/.ssh/authorized_keys. ssh does *not* prompt for a password. But ssh creates a new <username>.inst into my existing one.
Version-Release number of selected component (if applicable):
1.log in locally in gnome. add a public key from a remote system to your ~/.ssh/authorized_keys, and log in from that remote system via ssh (note that ssh prompts for a password and once the password is entered you will be in the right ~)
2. logout of you local gnome session and from the remote system login using ssh (note that ssh logs you in without prompting for a password and that you will be in an empty ~) (not the ~ where your atall .ssh/authorized_keys file is)
somewhere like this /home/dgrift/dgrift.inst/dgrift_u:dgrift_r:dgrift_t:s0-s0:c0.c1023_dgrift/dgrift.inst/dgrift_u:dgrift_r_dgrift_t:s0-s0:c0.1023/
Steps to Reproduce:
so in short poly instantiation works fine if you only use it for gui or only for ssh. once you start using it for both, ssh shows strange behaviour
erm, wrong description of how to reproduce.
This actually happens when you restart sshd.
so do 1. then do service sshd restart and try to login using ssh again.
There is not quite enough info about how you configured pam_namespace. It is not a trivial task. You will also probably need some mount --make-rshared or similar calls if you want to share some mountpoints within namespaces.
This is whats in my /etc/security/namesspace.conf
/tmp /tmp-inst/ level root,adm
/var/tmp /var/tmp-inst/ level root,adm
$HOME $HOME/$USER.inst/ level root,adm
i set "allow pam_namespace" selinux boolean to true.
This is my /etc/pam.d/sshd
auth required pam_sepermit.so
auth include system-auth
auth required pam_tally2.so deny=5 onerr=fail
account required pam_nologin.so
account include system-auth
account required pam_tally2.so
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include system-auth
I did not change anything else
Please note that everything seems to work fine except:
if i login using ssh it asks for my password instead of using pki (~/ssh/authorized_keys) This is when i am also logged in locally in gnome on that system)
If i restart sshd, then it will log me in without prompting for my password. but ssh will create a new dir in my (already instantiated home dir)
(In reply to comment #3)
> Please note that everything seems to work fine except:
> if i login using ssh it asks for my password instead of using pki
> (~/ssh/authorized_keys) This is when i am also logged in locally in gnome on
> that system)
Yes, that's to be expected if you polyinstantiate the home directory because sshd does not know anything about polyinstatiation and it does not see the authorized_keys file inside the instance directory. So either do not polyinstantiate the home directory or copy the authorized_keys file to the original non-polyinstantiated home.
> If i restart sshd, then it will log me in without prompting for my password.
> but ssh will create a new dir in my (already instantiated home dir)
I suppose you restart the sshd inside the polyinstantiated session - then again this is to be expected because you're creating instance inside another instance.
Simply do not do that.