Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke YubiKey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled.
Based on a bugreport in Red Hat Bugzilla, a boolean was added to the SELinux policy for Fedora 18 and up, that can be toggled to allow sshd (and some other SELinux types) to connect to remote HTTP ports.
To make a long story short, if you want to use a YubiKey on a system running Fedora 18 or higher (and probably RHEL7, eventually), you’ll need to toggle the authlogin_yubikey SELinux boolean, like so:
setsebool -P authlogin_yubikey 1
If you are using your own server via urllist
/url
in the pam conf file and using a non-standard http port, you will need to add that port to the http_port_t
port list. For example, port 12345
:
semanage port -a -t http_port_t -p tcp 12345
By default, SELinux prevents sshd from opening local files other than SSH configuration files. If you would like to debug this module using debug
and debug_file
parameters, you may need to temporarily relax your SELinux confinement:
setenforce permissive
Don’t forget to re-enable SELinux once you’re done:
setenforce enforcing