« Annexes:ConfSELinux » : différence entre les versions
Aller à la navigation
Aller à la recherche
| Ligne 17 : | Ligne 17 : | ||
===Solution avec SELinux=== | ===Solution avec SELinux=== | ||
Wrong Selinux context was used for new home directory. | Wrong Selinux context was used for new home directory. | ||
<pre> | |||
# ls -ldZ /home/user1/.ssh/ | # ls -ldZ /home/user1/.ssh/ | ||
drwx------. user1 user1 unconfined_u:object_r:default_t:s0 /home/user1/.ssh/ | drwx------. user1 user1 unconfined_u:object_r:default_t:s0 /home/user1/.ssh/ | ||
| Ligne 23 : | Ligne 23 : | ||
# ls -lZ /home/user1/.ssh/authorized_keys . | # ls -lZ /home/user1/.ssh/authorized_keys . | ||
-rw-------. user1 user1 unconfined_u:object_r:default_t:s0 /home/user1/.ssh/authorized_keys | -rw-------. user1 user1 unconfined_u:object_r:default_t:s0 /home/user1/.ssh/authorized_keys | ||
</pre> | |||
1. If we compare with a working user we will be able to see the correct context which is “ssh_home_t:” | 1. If we compare with a working user we will be able to see the correct context which is “ssh_home_t:” | ||
<pre> | |||
$ ls -lZd /home/opc/.ssh/ | $ ls -lZd /home/opc/.ssh/ | ||
drwx------. opc opc unconfined_u:object_r:ssh_home_t:s0 /home/opc/.ssh/ | drwx------. opc opc unconfined_u:object_r:ssh_home_t:s0 /home/opc/.ssh/ | ||
$ ls -lZd /home/opc/.ssh/authorized_keys | $ ls -lZd /home/opc/.ssh/authorized_keys | ||
-rw-------. opc opc unconfined_u:object_r:ssh_home_t:s0 /home/opc/.ssh/authorized_keys | -rw-------. opc opc unconfined_u:object_r:ssh_home_t:s0 /home/opc/.ssh/authorized_keys | ||
</pre> | |||
2. Apply the context “ssh_home_t:” to the new home location: | 2. Apply the context “ssh_home_t:” to the new home location: | ||
<pre> | |||
# chcon -R -t ssh_home_t /home/user1/.ssh/ | # chcon -R -t ssh_home_t /home/user1/.ssh/ | ||
</pre> | |||
3. Verify the permissions and SELinux context again: | 3. Verify the permissions and SELinux context again: | ||
<pre> | |||
# ls -lZd /home/user1/.ssh/authorized_keys | # ls -lZd /home/user1/.ssh/authorized_keys | ||
-rw-------. user1 user1 unconfined_u:object_r:ssh_home_t:s0 /home/user1/.ssh/authorized_keys | -rw-------. user1 user1 unconfined_u:object_r:ssh_home_t:s0 /home/user1/.ssh/authorized_keys | ||
</pre> | |||
4. Test SSH with user user1: | 4. Test SSH with user user1: | ||
<pre> | |||
$ ssh user1@<ip address=""> | $ ssh user1@<ip address=""> | ||
Last login: Wed Mar 27 19:52:13 2019 from [xx.xx.xx.xx] | Last login: Wed Mar 27 19:52:13 2019 from [xx.xx.xx.xx] | ||
-bash-4.2$</ip> | -bash-4.2$</ip> | ||
</pre> | |||
===Solution sans SELinux=== | ===Solution sans SELinux=== | ||
Note: If SELinux is not required another solution will be to change SELinux to permissive mode or disable it. | Note: If SELinux is not required another solution will be to change SELinux to permissive mode or disable it. | ||
Dernière version du 3 juin 2024 à 10:50
SELinux
Généralités
$ getenforce Enforcing
Problème rencontré
$ ssh user@[ip address] Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Solution avec SELinux
Wrong Selinux context was used for new home directory.
# ls -ldZ /home/user1/.ssh/ drwx------. user1 user1 unconfined_u:object_r:default_t:s0 /home/user1/.ssh/ # ls -lZ /home/user1/.ssh/authorized_keys . -rw-------. user1 user1 unconfined_u:object_r:default_t:s0 /home/user1/.ssh/authorized_keys
1. If we compare with a working user we will be able to see the correct context which is “ssh_home_t:”
$ ls -lZd /home/opc/.ssh/ drwx------. opc opc unconfined_u:object_r:ssh_home_t:s0 /home/opc/.ssh/ $ ls -lZd /home/opc/.ssh/authorized_keys -rw-------. opc opc unconfined_u:object_r:ssh_home_t:s0 /home/opc/.ssh/authorized_keys
2. Apply the context “ssh_home_t:” to the new home location:
# chcon -R -t ssh_home_t /home/user1/.ssh/
3. Verify the permissions and SELinux context again:
# ls -lZd /home/user1/.ssh/authorized_keys -rw-------. user1 user1 unconfined_u:object_r:ssh_home_t:s0 /home/user1/.ssh/authorized_keys
4. Test SSH with user user1:
$ ssh user1@<ip address=""> Last login: Wed Mar 27 19:52:13 2019 from [xx.xx.xx.xx] -bash-4.2$</ip>
Solution sans SELinux
Note: If SELinux is not required another solution will be to change SELinux to permissive mode or disable it.