Re: ssh by user amandabackup [SOLVED]

Sun, 02 Jan 2011 06:45:59 -0800 

On Sun, 2011-01-02 at 00:14 -0800, Gordon Messmer wrote: 
> On 01/01/2011 05:14 PM, Matthew Saltzman wrote:
> >
> > ssh with keys by a normal user works fine.  No error messages to be
> > found in /var/log/secure on the client or with ssh -v on the server.
> 
> Does the output from "ssh -v" indicate that the correct key file is 
> being offered?
> 

Yes.  The relevant lines from ssh -v are

        debug1: Next authentication method: publickey
        debug1: Offering public key: /var/lib/amanda/.ssh/id_rsa
        debug1: Authentications that can continue:
        publickey,gssapi-keyex,gssapi-with-mic,password
        debug1: Trying private key: /var/lib/amanda/.ssh/id_dsa
        debug1: Next authentication method: password
        amandabac...@client's password: 

So the key is being offered, but there is no acknowledgment from the
client and no indication of any problem in the client's /var/log/secure.

Aha! In /var/log/messages, on the other hand, this happens:

        Jan  2 09:40:36 yankee setroubleshoot: SELinux is preventing 
/usr/sbin/sshd from search access on the directory /var/lib/amanda. For 
complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
        Jan  2 09:40:36 yankee setroubleshoot: SELinux is preventing 
/usr/sbin/sshd from search access on the directory /var/lib/amanda. For 
complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5

The full SELinux message is

        $ sudo sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
        SELinux is preventing /usr/sbin/sshd from search access on the 
directory /var/lib/amanda.
        
        *****  Plugin catchall (100. confidence) suggests  
***************************
        
        If you believe that sshd should be allowed search access on the amanda 
directory by default.
        Then you should report this as a bug.
        You can generate a local policy module to allow this access.
        Do allow this access for now by executing:
        # grep /usr/sbin/sshd /var/log/audit/audit.log | audit2allow -M mypol
        # semodule -i mypol.pp
        
So I will file the bug.
-- 
                Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Reply via email to