On Sun, 2011-01-02 at 09:45 -0500, Matthew Saltzman wrote: > On Sun, 2011-01-02 at 00:14 -0800, Gordon Messmer wrote: > > On 01/01/2011 05:14 PM, Matthew Saltzman wrote: > > > > > > ssh with keys by a normal user works fine. No error messages to be > > > found in /var/log/secure on the client or with ssh -v on the server. > > > > Does the output from "ssh -v" indicate that the correct key file is > > being offered? > > > > Yes. The relevant lines from ssh -v are > > debug1: Next authentication method: publickey > debug1: Offering public key: /var/lib/amanda/.ssh/id_rsa > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug1: Trying private key: /var/lib/amanda/.ssh/id_dsa > debug1: Next authentication method: password > amandabackup@client's password: > > So the key is being offered, but there is no acknowledgment from the > client and no indication of any problem in the client's /var/log/secure. > > Aha! In /var/log/messages, on the other hand, this happens: > > Jan 2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5 > Jan 2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5 > > The full SELinux message is > > $ sudo sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5 > SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. > > ***** Plugin catchall (100. confidence) suggests *************************** > > If you believe that sshd should be allowed search access on the amanda directory by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do allow this access for now by executing: > # grep /usr/sbin/sshd /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp > > So I will file the bug. https://bugzilla.redhat.com/show_bug.cgi?id=666722 -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
