Getting bitten by SELinux and sshd authorized_keys




TL;DR:  If you can't ssh using a public key, it could be a SELinux thing.


Logging in to a server with ssh using your public key is pretty handy.  While setting up an OEL 6 VM  I ran into a strange error where sshd would not let me log in with a public key, even though my key was in ~oracle/.ssh/authorized_keys.  Password logins worked just fine.

Somewhat puzzling: I could ssh into the root account using my public key and without a password.

Nine times out of ten, this is a permission problem. Sshd is picky about the permissions on your home directory, ~/.ssh, and the authorized_keys file.  I carefully checked this over - but in this instance permissions were not the problem.

The standard advice to debug SSH problems is to run sshd in the foreground with debugging turned on:

service sshd stop
/usr/sbin/sshd -dD

And of course my problem promptly disappeared. Hmmm, so it works in debug mode, but not when running as a daemon. It also works fine to ssh into the root account, but not ~oracle.

My initial google-fu skills were weak, but on a hunch I googled "sshd SELinux".

Bingo:

http://serverfault.com/questions/50573/selinux-preventing-passwordless-ssh-login


In my case disabling SELinux did the trick (not good for production, but acceptable for my purposes).



Comments

Popular posts from this blog

Introducing ds-operator, the ForgeRock Directory Services Operator for Kubernetes

Automating OpenDJ backups on Kubernetes

Deploying the ForgeRock platform on Kubernetes using Skaffold and Kustomize