This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 428881

Summary: sshd refuses to accept public key login
Product: [Fedora] Fedora Reporter: Michael de Mare <mikey>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: ia64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-16 09:45:38 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
sshd_config file
none
ssh -vvv
none
sshd -ddd
none
extended sshd log none

Description Michael de Mare 2008-01-15 15:58:50 EST
Description of problem:

sshd won't accept public key login although it is configured to

Version-Release number of selected component (if applicable):

OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006

How reproducible:

Very reproducible

Steps to Reproduce:

Will attach /etc/sshd_config

ssh host1
  
Actual results:

mikey@host1's password:


Expected results:

[mikey@host1 ~]$

Additional info:

/etc/sshd_config and ~mikey/.ssh/authorized_keys copied from Fedora 6 machine
where it works.
Comment 1 Michael de Mare 2008-01-15 15:59:51 EST
Created attachment 291750 [details]
sshd_config file
Comment 2 Tomas Mraz 2008-01-16 03:02:50 EST
Can you please attach logs from ssh -vvv (client) and /usr/sbin/sshd -ddd (server)?
Comment 3 Michael de Mare 2008-01-16 09:13:10 EST
Created attachment 291851 [details]
ssh -vvv
Comment 4 Michael de Mare 2008-01-16 09:13:46 EST
Created attachment 291852 [details]
sshd -ddd
Comment 5 Tomas Mraz 2008-01-16 09:18:55 EST
The sshd -ddd output is not complete - it doesn't contain log from the whole
connection attempt.
Comment 6 Michael de Mare 2008-01-16 09:32:58 EST
Created attachment 291855 [details]
extended sshd log
Comment 7 Michael de Mare 2008-01-16 09:36:43 EST
After examining the sshd output I see that the problem is that the permissions
aren't set correctly for .ssh
Comment 8 Michael de Mare 2008-02-26 18:52:30 EST
Now I upgraded the Fedora 6 system to Fedora 8 and sshd doesn't work with the
public key in daemon mode but does in debug mode.  Same configuration file.
Comment 9 Tomas Mraz 2008-02-27 03:17:20 EST
Could it be caused by SELinux? Do you see any AVCs in ausearch -m AVC output?
Comment 10 Michael de Mare 2008-02-27 07:06:19 EST
Where do I find ausearch?  It doesn't seem to be installed on my system and I
can't seem to install it with yum.
Comment 11 Tomas Mraz 2008-02-27 08:15:32 EST
It is in audit package. You don't have it installed? And is SELinux enabled and
enforcing or not?
Comment 12 Michael de Mare 2008-02-27 10:18:43 EST
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted
Comment 13 Michael de Mare 2008-02-27 10:20:47 EST
[mikey@mikey-ws ~]$ sudo /sbin/ausearch -m AVC
<no matches>
[mikey@mikey-ws ~]$             
Comment 14 Tomas Mraz 2008-02-27 10:27:02 EST
restorecon -R -v <home>/.ssh
doesn't help/print anything either?
Comment 15 Michael de Mare 2008-02-28 13:16:51 EST
[mikey@mikey-ws ~]$ sudo /sbin/restorecon -R -v $HOME/.ssh
/sbin/restorecon reset /home/mikey/.ssh context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/id_rsa context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/id_rsa.pub context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/known_hosts context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/authorized_keys context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/greg-ws context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/id_dsa context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/id_dsa.pub context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/stevens context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/stevens.pub context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/server1.pub context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/palm context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/palm.pub context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/laptop2 context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
/sbin/restorecon reset /home/mikey/.ssh/laptop2.pub context
system_u:object_r:file_t:s0->unconfined_u:object_r:unconfined_home_t:s0
Comment 16 Tomas Mraz 2008-02-28 14:40:10 EST
Nice, did it help?
Comment 17 Michael de Mare 2008-02-28 15:44:48 EST
No, I still get the same error.
Comment 18 Tomas Mraz 2008-02-28 16:38:51 EST
'setenforce 0' helps?
If yes, 'restorecon -R -v /home/mikey' might help.
Otherwise I am really out of ideas what could cause it especially when in debug
mode it works fine.
Comment 19 Michael de Mare 2008-02-28 17:02:43 EST
`setenforce 0` worked.  What should I do for a permanent fix?
Comment 20 Michael de Mare 2008-02-28 17:06:58 EST
I am thinking that the selinux problem must be because the /home filesystem was
created under FC2, which did not have selinux enabled by default.  I upgraded
that to FC3.  Then I installed FC6 over the system partition (leaving /home
intact) and then it broke when I upgraded it to F8.

I ran `restorecon -R -v /home/mikey` and then `setenforce 1` and it still works,
so I am assuming that this will continue to work after the next reboot.  If it
doesn't, I will let you know.

Thanks.