Using Duo SSH 2FA with SELinux Enabled

Feb 24, 2016 Security

Introduction

I’ve recently been upgrading my servers from Ubuntu 14.04 to CentOS 7. Aside from SystemD, it’s a welcomed change (I still prefer upstart since there is less magic in the configs). One of the things I love about CentOS is when you actually run SELinux in enforcing mode. Sometimes though, things break with little indication as to why.

There are a few things that are in my bootstrap scripts (Chef/Puppet, etc), that are always my must-haves, hardening SSH and enabling SELinux. With hardening SSH, I change the port, and honeypot port 22, disable root and password-based logins just to name a few.

When you enable SELinux though, there are a few extra steps you need to take to get it done.

Enable New SSH Port with SELinux

You have to permit the new port to be permitted through SELinux:

sudo semanage port -a -t ssh_port_t -p tcp 27922

Failure to do this will result in your SSH service failing like so:

$ sudo service sshd status
Redirecting to /bin/systemctl status  sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Wed 2016-02-24 17:20:10 UTC; 9s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 31653 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=255)
 Main PID: 31653 (code=exited, status=255)

Feb 24 17:20:10 hostname systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
Feb 24 17:20:10 hostname systemd[1]: Unit sshd.service entered failed state.
Feb 24 17:20:10 hostname systemd[1]: sshd.service failed.

Next steps of course would be to enable the port through the firewall (firewalld example below):

firewall-cmd --permanent --zone=public --add-port=27922/tcp && \
  firewall-cmd --reload

Enable Duo with SELinux

The Duo PAM module makes outbound HTTP/S connections when it executes. This is forbidden by default in SELinux, and must be explicitly enabled.

After you run ./configure, execute:

sudo make -C pam_duo semodule semodule-enable

The output should look similar to this:

[youwish@hostname duo_unix-1.9.18]$ sudo make -C pam_duo semodule
make: Entering directory `/home/youwish/duo_unix-1.9.18/pam_duo'
checkmodule -M -m -o authlogin_duo.mod authlogin_duo.te
checkmodule:  loading policy configuration from authlogin_duo.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 17) to authlogin_duo.mod
semodule_package -o authlogin_duo.pp -m authlogin_duo.mod
make: Leaving directory `/home/youwish/duo_unix-1.9.18/pam_duo'

[youwish@hostname duo_unix-1.9.18]$ sudo make -C pam_duo semodule-enable
make: Entering directory `/home/youwish/duo_unix-1.9.18/pam_duo'
semodule -i authlogin_duo.pp

Conclusion

With those quick steps you don’t have to (and shouldn’t) change SELinux enforcement to secure your SSH configuration.


comments powered by Disqus