Description of problem: Using safekeep, deploy keys with 'safekeep --keys --deploy' (and give root password). Subsequently 'safekeep --server' should ssh without requiring a password. What actually happens is the selinux denial below and sshd falls back to asking for a password. After "restorecon root/.ssh/authorized_keys", everything works perfectly. This happens even when deleting /root/.ssh/ and letting it be re-created during the key deployment. Version-Release number of selected component (if applicable): openssh-server-5.2p1-2.fc11.i586 selinux-policy-3.6.12-62.fc11.noarch safekeep-server-1.0.5-2.fc11.noarch Additional info: SELinux is preventing sshd (sshd_t) "read" to /root/.ssh/authorized_keys (admin_home_t). Detailed Description: SELinux denied access requested by sshd. /root/.ssh/authorized_keys may be a mislabeled. /root/.ssh/authorized_keys default SELinux type is home_ssh_t, but its current type is admin_home_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creates a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/root/.ssh/authorized_keys', if this file is a directory, you can recursively restore using restorecon -R '/root/.ssh/authorized_keys'. Fix Command: restorecon '/root/.ssh/authorized_keys' Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects /root/.ssh/authorized_keys [ file ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host mostin Source RPM Packages openssh-server-5.2p1-2.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-62.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name restorecon Host Name mostin Platform Linux mostin 2.6.29.5-191.fc11.i586 #1 SMP Tue Jun 16 23:11:39 EDT 2009 i686 athlon Alert Count 4 First Seen Mon 20 Jul 2009 20:44:22 BST Last Seen Mon 20 Jul 2009 21:10:03 BST Local ID 4bc43249-b983-471b-9410-6f2c4bd1051a Line Numbers Raw Audit Messages node=mostin type=AVC msg=audit(1248120603.552:225): avc: denied { read } for pid=10203 comm="sshd" name="authorized_keys" dev=dm-6 ino=125282 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=mostin type=SYSCALL msg=audit(1248120603.552:225): arch=40000003 syscall=5 success=no exit=-13 a0=1406598 a1=8800 a2=0 a3=13f8a18 items=0 ppid=9593 pid=10203 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Did you read the description above? Did you run the restorecon command? After running the restorecon command, did it work? Run restorecon -R -v /root/.ssh Should fix the labeling so sshd can read the authorization_keys. The safekeep tool should be making sure the labeling is correct, just like it would make sure the file ownership and permissions were correct.
Something like cmd = '%s %s@%s "umask 077; test -d .ssh || mkdir .ssh; cat >> .ssh/authorized_keys; restorecon -R -v .ssh"' % (basessh, cfg['user'], cfg['host']) Would fix on SELinux platforms.
restorecon will exit with 0 status if selinux is disabled.
This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.