View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000297 | AlmaLinux-9 | General | public | 2022-08-31 11:52 | 2024-08-16 20:01 |
Reporter | spwz | Assigned To | elkhan | ||
Priority | high | Severity | major | Reproducibility | always |
Status | feedback | Resolution | open | ||
Platform | x86_64 on AWS | OS | almalinux | OS Version | 9.0 |
Summary | 0000297: AlmaLinux OS 9 (x86_64) on AWS doesn't support ssh access to user with customized home directory | ||||
Description | Tested images in ap-southeast-2 (AMI ID: ami-093bbccf3fc2c0bd9) and eu-central-1 (AMI ID: ami-0826456de815d0e9e). AMI name is AMI name: AlmaLinux OS 9.0.20220715 x86_64-3c74c2ba-21a2-4dc1-a65d-fd0ee7d79900 AlmaLinux OS 9 (x86_64) on AWS doesn't support ssh access with keys to a user with customized home directory other than default /home/<username> client side reports error : "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)." | ||||
Steps To Reproduce | Operations: 1. logged in as ec2-user and "sudo su" as root 2. create user with "useradd git1 -d /git1" 3. "su - git1" 4. create .ssh folder and authorized_keys file copied from /home/ec2-user/.ssh/authorized_keys. (the pub key here should be valid as it's for ec2-user as well). 5. Unable to use the matching private key to ssh as user git1 6. switched off selinux doesn't work either. authorized_keys file has access right as 600, the same as that for ec2-user Note: 1. This same operation is OK for almalinux 8.6 EC2 instance in AWS 2. Using other user name has the same result. | ||||
Tags | No tags attached. | ||||
|
Hi spwz, It's a upstream behavior, not AlmaLinux OS specific. Which is present in RHEL 9.1 too. But I can propose some steps for your: 1. Get the SELinux audit log: ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent As we can see from the output source the sshd process and target the /git1/.ssh/authorized_keys are not sharing same SELinux labels. scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 Since you created git1 user's home not inside the /home as /home/ec2-user, they have different SELinux labels. Therefore we need to change the SELinux type of the /git1 directory from "system_u:object_r:default_t" to "unconfined_u:object_r:user_home_dir_t" recursively: Firstly, we need to change it temporary to found out if it works or not: Use the ec2-user's home directory as a reference: chcon -R --reference=/home/ec2-user/ /git1/ Delete the .ssh directory and recreate again and put the key in .ssh/authorized_keys file. the new .ssh directory and authorized_keys will be labeled correctly this time. Permanently: To make sure the new label will not change neither by package manager nor the during the relabeling the file system. Use the ec2-user's home directory as a reference again: semanage fcontext -a -e /home/ec2-user /git1 restorecon -Rv /git1 |