Re: sshd Authentication refused

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"Rick Sewill wrote:"
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 07/13/2010 01:43 PM, Kevin Fenzi wrote:
> > On Tue, 13 Jul 2010 11:16:46 -0700 (PDT)
> > David Highley <[email protected]> wrote:
> > 
> >> New install of Fedora 13 we get the following /var/log/secure entry
> >> when we ssh from a Fedora 12 system to the Fedora 13 system:
> >> Authentication refused: bad ownership or modes for
> >> file /home/dhighley/.ssh/authorized_keys
> >>
> >> We have checked and tried different modes until we are blue in the
> >> face. Have read the upates notes for openssh and Fedora 13 release.
> >> Googled the net for know issues and bugzilla.redhat.com. We did check
> >> for selinux blocks and found none.
> >>
> >> User home directory is auto NFS mounted and we use NIS. This works
> >> Fedora 12 to Fedora 12.
> > 
> > You may want to use 'ssh-copy-id' to copy the key over to the f13
> > system. That will setup the right permissions and such automatically
> > for you. 

Where would I copy it if I'm using auto mounted home directories?

> > 
> > Also, you will want to see if there are any selinux alerts on the f13
> > machine. 'ausearch -m avc -ts today' can list the ones from today. 

See above, we did check for selinux denials. We also did a restorcon -v
-R .ssh just in case and nothing changed.

> > 
> > kevin
> > 
> 
> I cannot explain how f12 <--> f12 works, but f12 <--> f13 does not.
> I can only guess there is something different for the NFS mount -or-
> something different regarding NIS.
> 
> =====
> 
> One possibility, which I consider very, very remote is the following.
> 
> I may be wrong but I think the ownership and modes for all the parent
> directories from your /home/dhighley/.ssh directory also matter.

Directory .ssh has mode of 700.
File .ssh/authorized_keys has a mode of 600
Home directory dhighley has a mode of 750

All are owned by the user and the user's group.

> 
> I assume you made sure /home/dhighley/.ssh is mode 700.
> What is the mode of /home/dhlighley?  Is it 755 (I think that's okay).
> I think any write mode for group or other would be bad.
> I assume /home/dhlighley is owned by you, the user.
> 
> What about /home?  Who owns it?  What is it's mode?
> I think root must own it.
> I think only root should have write access to it.

Mode of /home is 755 and owned by root on the NFS server and the client
Fedora 13 system.

> 
> I actually assume the ownership and modes are all correct...the
> possibility of this being the problem seems exceedingly rare to me, but
> please check.
> 
> =====
> 
> Another possibility, which I also consider remote, but is worth asking.
> On the f13 machine, when you log in as dhlighley, is the user name only
> found in NIS?  On occasion, if one is testing something new, one might
> put in a local account in the /etc/passwd file, and forget it is there.
> Depending on your /etc/nsswitch.conf file, the local file is probably
> checked before NIS.

There are no local user file entries on the Fedora 13 system.

> 
> Sorry, can't think of anything else.  Others have already mentioned selinux.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkw8ubMACgkQyc8Kn0p/AZSC9wCePd3r5B52EBYAQ7mQtRsPWeql
> 99AAn2UBA4uvL7lvX9zBF2mm82OYObu9
> =xTPl
> -----END PGP SIGNATURE-----
> -- 
> users mailing list
> [email protected]
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> 
-- 
users mailing list
[email protected]
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux