Bug 473014 (SSHKeyLabel)
Summary: | User key authentication fails in ssh from F10 client to F10 server | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nick Urbanik <nicku> | ||||||
Component: | openssh | Assignee: | Tomas Mraz <tmraz> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 10 | CC: | daw-redhatbugzilla, dusha, dwalsh, joe, lists, mgrepl, mhfrey, nicku, tmraz | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | i686 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2008-11-28 10:09:40 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Nick Urbanik
2008-11-26 02:59:13 UTC
Can you please attach debug logs from the client as well as server? Run the server as /usr/sbin/sshd -ddd And the client as ssh -vvv <user@server> My install started cleanly from snapshot 3 and has simply been upgraded by yum. ssh + keys is working perfectly here. Created attachment 324793 [details]
Running /usr/sbin/sshd -ddd on laptop
Created attachment 324794 [details]
Result of running ssh -vvv
Yes, I see that I can connect from the laptop to the desktop machine (the other way round). Need investigate the pam setup, the /etc/ssh*_config files further. I do not see pubkey authentication failure in the log but rather some problem with PAM open session. Do you see anything related in /var/log/secure on the ssh server? Only the sshd[...]: reverse mapping checking getaddrinfo for .... [...] failed - POSSIBLE BREAK-IN ATTEMPT! These have occurred in the logs for some time before this authentication problem arose. When I turn off selinux on the laptop, the problem disappears. I have yum upgraded these machines through each Fedora release over many years. I will try relabelling the filesystems on these machines, and indicate here whether this solves the problem. Do you see any related AVCs in ausearch -m AVC output? Okay, it is solved by doing sudo restorecon -r ~/.ssh Here is some of the output of ausearch -m AVC before I did this: time->Fri Nov 28 20:10:40 2008 type=SYSCALL msg=audit(1227863440.638:683): arch=40000003 syscall=5 success=no exit=-13 a0=b8f08ef0 a1=8800 a2=0 a3=8800 items=0 ppid=1760 pid=12649 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1227863440.638:683): avc: denied { search } for pid=12649 comm="sshd" name=".ssh" dev=sda6 ino=130817 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir I suppose this is now solved for me. I think that others may still be bitten by this. Even doing sudo touch /.autorelabel and having the filesystem relabelled at the reboot did not solve the problem for me. I needed to change to the home directory and there do sudo restorecon -r .ssh Only then did the .ssh/* files' label change to system_u:object_r:ssh_home_t At least this bug gives people a solution to google for. Ok I think I found the problem, that file should not become unlabeled_t on an upgrade, so in selinux-policy-3.5.13-31 I will get it labeled correctly. Excellent work Daniel! Thank you. *** Bug 476362 has been marked as a duplicate of this bug. *** *** Bug 466199 has been marked as a duplicate of this bug. *** *** Bug 481079 has been marked as a duplicate of this bug. *** *** Bug 491032 has been marked as a duplicate of this bug. *** |