Annexes:ConfSELinux

SELinux

Généralités

$ getenforce
Enforcing

Problème rencontré

$ ssh user@[ip address]
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Solution avec SELinux

Wrong Selinux context was used for new home directory.

1. ls -ldZ /home/user1/.ssh/

drwx------. user1 user1 unconfined_u:object_r:default_t:s0 /home/user1/.ssh/

1. ls -lZ /home/user1/.ssh/authorized_keys .

-rw-------. user1 user1 unconfined_u:object_r:default_t:s0 /home/user1/.ssh/authorized_keys 1. If we compare with a working user we will be able to see the correct context which is “ssh_home_t:”

$ ls -lZd /home/opc/.ssh/ drwx------. opc opc unconfined_u:object_r:ssh_home_t:s0 /home/opc/.ssh/ $ ls -lZd /home/opc/.ssh/authorized_keys -rw-------. opc opc unconfined_u:object_r:ssh_home_t:s0 /home/opc/.ssh/authorized_keys 2. Apply the context “ssh_home_t:” to the new home location:

1. chcon -R -t ssh_home_t /home/user1/.ssh/

3. Verify the permissions and SELinux context again:

1. ls -lZd /home/user1/.ssh/authorized_keys

-rw-------. user1 user1 unconfined_u:object_r:ssh_home_t:s0 /home/user1/.ssh/authorized_keys 4. Test SSH with user user1:

$ ssh user1@<ip address=""> Last login: Wed Mar 27 19:52:13 2019 from [xx.xx.xx.xx] -bash-4.2$</ip>

Solution sans SELinux

Note: If SELinux is not required another solution will be to change SELinux to permissive mode or disable it.