I want to be able to use ssh-keys to login to several CentOS servers.
This always worked fine with CentOS 5x, but causing me problems in CentOS 6.4
If I disable SELinux it works fine.
Following the suggestion on another thread I ran
Code:
[root@stanley etc]# restorecon -r -v -F /root/.ssh
restorecon reset /root/.ssh context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:ssh_home_t:s0
and
Code:
[fred@stanley ~]$ restorecon -r -v -F /home/fred/.ssh
restorecon reset /home/fred/.ssh context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/fred/.ssh/authorized_keys context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:ssh_home_t:s0
and then reset SELinux to
in /etc/selinux/config
and rebooted.
Now, I can login as root without entering a password, but
user fred is still prompted.
I notice that the flags being set by restorecon are different for root and for fred, so my guess is that this is the problem. I don't know what these flags mean, or how to change them, so would appreciate help in sorting this out.
BTW: in general I want to disable ssh for root.
Using root was just part of my troubleshooting.
Some additional info added after @JohnVV's comments:
After trying to login again as fred. I see this in /var/log/secure
Code:
Jul 14 13:30:03 stanley sshd[10183]: debug3: mm_answer_keyallowed entering
Jul 14 13:30:03 stanley sshd[10183]: debug3: mm_answer_keyallowed: key_from_blob: 0x7f29afe06d00
Jul 14 13:30:03 stanley sshd[10183]: debug1: temporarily_use_uid: 504/504 (e=0/0)
Jul 14 13:30:03 stanley sshd[10183]: debug1: trying public key file /home/fred/.ssh/authorized_keys
Jul 14 13:30:03 stanley sshd[10183]: debug1: fd 4 clearing O_NONBLOCK
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: checking '/home/fred/.ssh'
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: checking '/home/fred'
Jul 14 13:30:03 stanley sshd[10183]: debug3: secure_filename: terminating check at '/home/fred'
Jul 14 13:30:03 stanley sshd[10183]: debug2: key not found
Then extracting the entries from the the audit log for process 10183
Code:
cat /var/log/audit/audit.log | audit2allow -w > ~/denied
grep -A3 10183 ~/denied
I just get this:
Code:
type=AVC msg=audit(1373833803.504:926): avc: denied { search } for pid=10183 comm="sshd" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
--
type=AVC msg=audit(1373833803.505:927): avc: denied { getattr } for pid=10183 comm="sshd" path="/home" dev=dm-0 ino=2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
Not sure what to do with this information. Any help would be appreciated
Thanks