Re: ssh by user amandabackup [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2011-01-02 at 00:14 -0800, Gordon Messmer wrote: 
> On 01/01/2011 05:14 PM, Matthew Saltzman wrote:
> >
> > ssh with keys by a normal user works fine.  No error messages to be
> > found in /var/log/secure on the client or with ssh -v on the server.
> 
> Does the output from "ssh -v" indicate that the correct key file is 
> being offered?
> 

Yes.  The relevant lines from ssh -v are

        debug1: Next authentication method: publickey
        debug1: Offering public key: /var/lib/amanda/.ssh/id_rsa
        debug1: Authentications that can continue:
        publickey,gssapi-keyex,gssapi-with-mic,password
        debug1: Trying private key: /var/lib/amanda/.ssh/id_dsa
        debug1: Next authentication method: password
        amandabackup@client's password: 

So the key is being offered, but there is no acknowledgment from the
client and no indication of any problem in the client's /var/log/secure.

Aha! In /var/log/messages, on the other hand, this happens:

        Jan  2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
        Jan  2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5

The full SELinux message is

        $ sudo sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
        SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda.
        
        *****  Plugin catchall (100. confidence) suggests  ***************************
        
        If you believe that sshd should be allowed search access on the amanda directory by default.
        Then you should report this as a bug.
        You can generate a local policy module to allow this access.
        Do allow this access for now by executing:
        # grep /usr/sbin/sshd /var/log/audit/audit.log | audit2allow -M mypol
        # semodule -i mypol.pp
        
So I will file the bug.
-- 
                Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux