On Sun, 2011-01-02 at 00:14 -0800, Gordon Messmer wrote:
On 01/01/2011 05:14 PM, Matthew Saltzman wrote:
>
> ssh with keys by a normal user works fine. No error messages to be
> found in /var/log/secure on the client or with ssh -v on the server.
Does the output from "ssh -v" indicate that the correct key file is
being offered?
Yes. The relevant lines from ssh -v are
debug1: Next authentication method: publickey
debug1: Offering public key: /var/lib/amanda/.ssh/id_rsa
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /var/lib/amanda/.ssh/id_dsa
debug1: Next authentication method: password
amandabackup@client's password:
So the key is being offered, but there is no acknowledgment from the
client and no indication of any problem in the client's /var/log/secure.
Aha! In /var/log/messages, on the other hand, this happens:
Jan 2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from
search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert
-l d477003b-6568-4441-95d8-60bda5a6c0e5
Jan 2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from
search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert
-l d477003b-6568-4441-95d8-60bda5a6c0e5
The full SELinux message is
$ sudo sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
SELinux is preventing /usr/sbin/sshd from search access on the directory
/var/lib/amanda.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that sshd should be allowed search access on the amanda directory
by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do allow this access for now by executing:
# grep /usr/sbin/sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
So I will file the bug.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs