Hide Forgot
This is a similar problem to that reported in bug 575203. If sshd is started without using rc-scripts then it works, but if it is started with rc-scripts and enforcing is on, then you cannot login without a password, even if the public key is in authorized_keys. Setting enforcing off enables it to work.
Andrew, what AVC msgs are you getting in permissive mode?
restorecon -R -v .ssh
Can confirm that it public key login works when restorecon -R -v .ssh is used.
Here are some additional tests I've performed. .ssh/authorized_keys has been created using ssh-copy-id from a remote host. In enforcing mode, login is not possible until restorecon -R -v .ssh is involved. [root@CentOS ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@CentOS ~]# secon --file .ssh/authorized_keys user: unconfined_u role: object_r type: admin_home_t sensitivity: s0 clearance: s0 mls-range: s0 [root@CentOS ~]# restorecon -R -v .ssh restorecon reset /root/.ssh context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:home_ssh_t:s0 restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:home_ssh_t:s0 [root@CentOS ~]# secon --file .ssh/authorized_keys user: system_u role: object_r type: ssh_home_t sensitivity: s0 clearance: s0 mls-range: s0 If I delete the .ssh directory and recreate it as mentioned above in permissive mode everything is working. The issue is related to the security context of the files created by sshd. [root@CentOS ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted [root@CentOS ~]# secon --file .ssh/authorized_keys user: unconfined_u role: object_r type: admin_home_t sensitivity: s0 clearance: s0 mls-range: s0
Yes, restorecon is needed.