SSH public key connection issue

Moderator: cah

Post Reply
cah
General of the Army / Fleet Admiral / General of the Air Force
General of the Army / Fleet Admiral / General of the Air Force
Posts: 1342
Joined: Sun Aug 17, 2008 5:05 am

SSH public key connection issue

Post by cah »

Since I requested a RHEL 9 server for TANG server, I tried to start setting it up. However, when I tried to ssh to it, I found the public key didn't work. I checked all permissions and configurations and all looked fine. /var/log/secure didn't provide any help. I then looked into /var/log/messages on RHEL 9.5 server and saw this:

Code: Select all

Feb 20 04:21:45 msplin297 setroubleshoot[188613]: SELinux is preventing /usr/sbin/sshd from read access on the file /user/hsiaoc1/.ssh/authorized_keys. For complete SELinux messages run: sealert -l 8b4eeb43-a95f-4d5a-9d09-ddcbc81a5cba

Feb 20 04:21:45 msplin297 setroubleshoot[188613]: SELinux is preventing /usr/sbin/sshd from read access on the file /user/hsiaoc1/.ssh/authorized_keys.#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow use to nfs home dirs#012Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs' boolean.#012#012Do#012setsebool -P use_nfs_home_dirs 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that sshd should be allowed read access on the authorized_keys file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sshd' --raw | audit2allow -M my-sshd#012# semodule -X 300 -i my-sshd.pp#012
I then expanded the message to readable format:

Code: Select all

Feb 20 04:21:45 msplin297 setroubleshoot[188613]: SELinux is preventing /usr/sbin/sshd from read access on the file /user/hsiaoc1/.ssh/authorized_keys.
#012
#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
#012
#012If you want to allow use to nfs home dirs
#012Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs' boolean.
#012
#012Do
#012setsebool -P use_nfs_home_dirs 1
#012
#012*****  Plugin catchall (11.6 confidence) suggests   **************************
#012
#012If you believe that sshd should be allowed read access on the authorized_keys file by default.
#012Then you should report this as a bug.
#012You can generate a local policy module to allow this access.
#012Do
#012allow this access for now by executing:
#012
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
#012
# semodule -X 300 -i my-sshd.pp
#012
I then ran the command:

Code: Select all

# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-sshd.pp

# semodule -i my-sshd.pp
libsemanage.semanage_direct_install_info: Overriding my-sshd module at lower priority 300 with module at priority 400.
After these 2 commands, I was then able to ssh into this RHEL 9.5 server with the public key.

The root cause is the SELinux. We never had SELinux set up prior to RHEL 9 and that this is a good lesson to learn.
CAH, The Great
Top
Post Reply

Return to “Technology / 科技交流”