View Issue Details

IDProjectCategoryView StatusLast Update
0000297AlmaLinux-9Generalpublic2022-12-09 23:19
Reporterspwz Assigned Toelkhan  
Status assignedResolutionopen 
Platformx86_64 on AWSOSalmalinuxOS Version9.0
Summary0000297: AlmaLinux OS 9 (x86_64) on AWS doesn't support ssh access to user with customized home directory
DescriptionTested images in ap-southeast-2 (AMI ID: ami-093bbccf3fc2c0bd9) and eu-central-1 (AMI ID: ami-0826456de815d0e9e). AMI name is AMI name: AlmaLinux OS 9.0.20220715 x86_64-3c74c2ba-21a2-4dc1-a65d-fd0ee7d79900

AlmaLinux OS 9 (x86_64) on AWS doesn't support ssh access with keys to a user with customized home directory other than default /home/<username>

client side reports error : "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)."
Steps To ReproduceOperations:
1. logged in as ec2-user and "sudo su" as root
2. create user with "useradd git1 -d /git1"
3. "su - git1"
4. create .ssh folder and authorized_keys file copied from /home/ec2-user/.ssh/authorized_keys. (the pub key here should be valid as it's for ec2-user as well).
5. Unable to use the matching private key to ssh as user git1
6. switched off selinux doesn't work either. authorized_keys file has access right as 600, the same as that for ec2-user

1. This same operation is OK for almalinux 8.6 EC2 instance in AWS
2. Using other user name has the same result.
TagsNo tags attached.



2022-12-09 23:19

developer   ~0000762

Hi spwz,

It's a upstream behavior, not AlmaLinux OS specific. Which is present in RHEL 9.1 too.

But I can propose some steps for your:

1. Get the SELinux audit log:

As we can see from the output source the sshd process and target the /git1/.ssh/authorized_keys are not sharing same SELinux labels.


Since you created git1 user's home not inside the /home as /home/ec2-user, they have different SELinux labels.

Therefore we need to change the SELinux type of the /git1 directory from "system_u:object_r:default_t" to "unconfined_u:object_r:user_home_dir_t" recursively:

Firstly, we need to change it temporary to found out if it works or not:

Use the ec2-user's home directory as a reference:

chcon -R --reference=/home/ec2-user/ /git1/

Delete the .ssh directory and recreate again and put the key in .ssh/authorized_keys file. the new .ssh directory and authorized_keys will be labeled correctly this time.

To make sure the new label will not change neither by package manager nor the during the relabeling the file system.

Use the ec2-user's home directory as a reference again:

semanage fcontext -a -e /home/ec2-user /git1

restorecon -Rv /git1

Issue History

Date Modified Username Field Change
2022-08-31 11:52 spwz New Issue
2022-09-27 12:36 elkhan Assigned To => elkhan
2022-09-27 12:36 elkhan Status new => assigned
2022-12-09 23:19 elkhan Note Added: 0000762