Tuesday, March 17, 2015

The weirdest password-less SSH problem in the world , "SELinux DAC vs MAC"

The past few days I havebanging my head to the wall, and bugged tens of people at work and stackoverflow asked them why passwordless ssh would work for one user and not for another user 

Here are weird issues :
  1. Password-less sssh works for users with a default user home location but not for the one with a custom location, (both would have same permission and keys)
  2. If I run the ssh server in in debug mode it works for both users perfectly fine !

I found the reason after lots of investigation, and the reason was SELinux's MAC ( mandatory access control ) turns out SELinux didn't allow accessing the public keys because the user's home folder was a symbolic link.


DAC (discretionary access control)
vs 
MAC (mandatory access control)


Dirty Workaround ?

echo 0 > /selinux/enforce

  • Turn off SELinux by : 
  • I also learnt how to pronounce the word discretionary "dəˈskreSHəˌnerē"


What is next ?

  • I need to study SELinux and so I don't have to do dirty work arounds !
Post a Comment

Related

Labels

computer (48) ubuntu (46) linux (28) tutorial (20) opinion (17) programming (14) software overview (13) terminal (12) troubleshooting (8) life (7) literature (7) poem (7) human languages (6) vim (6) bash (5) google (5) python (5) android (4) cars (4) phpBB (4) suggestion (4) tips (4) 12.04 (3) Chef (3) extension and addons (3) firefox (3) java (3) personal (3) russian (3) shell (3) windows (3) 64bit (2) Calligraphy (2) Chicago (2) Vagrant (2) apple (2) backup (2) bug (2) code (2) eclipse (2) funny (2) google chrome (2) idea (2) monitor (2) php (2) phpBB3 (2) shorter prompt (2) ssh (2) virtualbox (2) $_SERVER['REQUEST_URI'] (1) 2.7 (1) ALT+Backspace (1) AVR (1) Alt-Printscreen-K (1) AutoRotate (1) CTRL+ALT+DELETE (1) DRM (1) Debugging (1) Gimp (1) Gimp 2.8 (1) Microcontroler (1) Restart X (1) UML (1) Ventra (1) adsense (1) amazon (1) audio (1) aws (1) background process (1) battery (1) bing (1) blank (1) blogging (1) bmw (1) boot (1) business review (1) car (1) cd (1) chrome (1) comcast (1) computer kubuntu (1) conference (1) cookie (1) cron (1) database (1) date (1) display (1) domain name (1) download manager (1) dual boot (1) dual monitor (1) extensions (1) feature request (1) file (1) folder (1) freeze (1) gimp single window (1) git (1) gnome 3.10 (1) google docs (1) google plust (1) google+ (1) grep (1) icon (1) install (1) iterator (1) links (1) linu (1) linux links (1) list (1) mac os (1) media server (1) microsoft (1) moonlight (1) music (1) mysql (1) name (1) nautilus (1) netflix (1) notepad++ (1) parking (1) permission (1) philosophy (1) photo (1) prompt (1) protest (1) ps3mediaserver (1) putty (1) read from file (1) realtek (1) resolution (1) roku (1) samsung (1) scala (1) screenshot (1) security (1) selinux (1) server (1) skype (1) space (1) spam (1) spambot (1) sql (1) suspension (1) system monitor (1) tar (1) task manager (1) template design (1) th23 domain (1) thinking (1) ubuntu 13.10 (1) unity (1) vimrc (1) virtual machine (1) weblogic (1) wget (1) with space (1) xorg (1) xrand (1)