I have a bunch of systems that use SSH with GSSAPI authentication, and in some recent testing with SELinux on Ubuntu and RHEL, I ran into several hiccups that I thought I would document.
When using SELinux (targeted):
- On RHEL, sshd will be able to read .k5login files in /home/$USER/.k5login even if they are not correctly labeled to krb5_home_t It will not be able to read /root/.k5login until the file is labeled correctly. restorecon -vv /root/.k5login will set that straight on RHEL.
- On Debian Wheezy (and I think on Ubuntu 12.04 as well), there is no krb5_home_t type, so use something else for .k5login files (restorecon won't help without the correct type). k5login file labels on /root/.k5login and /home/$USER/.k5login will both probably need to be changed. I used etc_t for the time being. If anyone knows of of a better type, please comment.
- You should use semanage fcontext instead of chcon for changing file labels unless you really have reason to do otherwise. Making label changes persistent across relabeling the filesystem can save you a lot of pain.
- Pam modules that execute a command, like pam-afs-session, need to have the file labeled in a way so it can be executed from the context that pam is running. In this case, I labeled /usr/bin/aklog as shell_exec_t so the pam module could execute it and get an AFS token after the kerberos ticket cache had been initialized.