So, following the orders of the Fedora project people I have decided to recreate my ssh keys. And this is what happens: mitmanek:~ $ cd mitmanek:~ $ ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/matej/.ssh/id_rsa): id_fedora_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: open id_fedora_rsa failed: Permission denied. Saving the key failed: id_fedora_rsa. mitmanek:~ $ restorecon -v -R .ssh mitmanek:~ $ Of course, it was my fault, that I forgot that keys have to be generated in ~/.ssh and not anywhere else because of SELinux, but it would be helpful if when getting a relative path (like in this case) ssh-keygen defaulted to ~/.ssh rather than to the current working directory. Thank you
We could fix the SELinux but this could be a problem from a security point of view, since the ~/.ssh directory tends to be a protected directory. I think if the user specifies a file without a path it should default to ~/.ssh
I think SELinux should allow ssh-keygen writing anywhere. Basically ssh-keygen is a simple admin/user called local tool, not connecting anywhere, and it should be unconfined. As for it defaulting to .ssh directory - this should be changed upstream first.
We might want to think about removing a transition to ssh-keygen at all since we have file name transition now so .ssh dir will create with the correct label. Matej, chcon -t bin_t `which ssh-keygen` should work.
Yes, Miroslav, I agree.
Yes in Rawhide we want to remove transition from user roles.
Removed transition in selinux-policy-3.10.0-41.fc16
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
$ id -Z staff_u:staff_r:staff_t:s0 $ mkdir tmp $ cd tmp/ $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/staff/.ssh/id_rsa): id_fedora_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_fedora_rsa. Your public key has been saved in id_fedora_rsa.pub. The key fingerprint is: 4e:ba:ef:fd:de:60:07:ad:b6:2b:6c:22:c3:d2:9f:df staff@f16-openssh The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | . | | S . . | | + o | | o. .. = . | | . =..o++ = | | ..*=+o+E.. | +-----------------+ $ ls -lZ -rw-------. staff staff staff_u:object_r:user_home_t:s0 id_fedora_rsa -rw-r--r--. staff staff staff_u:object_r:user_home_t:s0 id_fedora_rsa.pub $ ssh-copy-id -i id_fedora_rsa localhost staff@localhost's password: Now try logging into the machine, with "ssh 'localhost'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. $ ssh -i id_fedora_rsa localhost staff@localhost's password: $ exit $ chcon -t ssh_home_t id_fedora_rsa $ ssh -i id_fedora_rsa localhost Last login: Mon Nov 5 14:02:13 2012 from localhost $ rpm -q openssh selinux-policy openssh-5.8p2-25.fc16.x86_64 selinux-policy-3.10.0-91.fc16.noarch