View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000297||AlmaLinux-9||General||public||2022-08-31 11:52||2022-12-09 23:19|
|Platform||x86_64 on AWS||OS||almalinux||OS Version||9.0|
|Summary||0000297: AlmaLinux OS 9 (x86_64) on AWS doesn't support ssh access to user with customized home directory|
|Description||Tested images in ap-southeast-2 (AMI ID: ami-093bbccf3fc2c0bd9) and eu-central-1 (AMI ID: ami-0826456de815d0e9e). AMI name is AMI name: AlmaLinux OS 9.0.20220715 x86_64-3c74c2ba-21a2-4dc1-a65d-fd0ee7d79900|
AlmaLinux OS 9 (x86_64) on AWS doesn't support ssh access with keys to a user with customized home directory other than default /home/<username>
client side reports error : "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)."
|Steps To Reproduce||Operations:|
1. logged in as ec2-user and "sudo su" as root
2. create user with "useradd git1 -d /git1"
3. "su - git1"
4. create .ssh folder and authorized_keys file copied from /home/ec2-user/.ssh/authorized_keys. (the pub key here should be valid as it's for ec2-user as well).
5. Unable to use the matching private key to ssh as user git1
6. switched off selinux doesn't work either. authorized_keys file has access right as 600, the same as that for ec2-user
1. This same operation is OK for almalinux 8.6 EC2 instance in AWS
2. Using other user name has the same result.
|Tags||No tags attached.|
It's a upstream behavior, not AlmaLinux OS specific. Which is present in RHEL 9.1 too.
But I can propose some steps for your:
1. Get the SELinux audit log:
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
As we can see from the output source the sshd process and target the /git1/.ssh/authorized_keys are not sharing same SELinux labels.
Since you created git1 user's home not inside the /home as /home/ec2-user, they have different SELinux labels.
Therefore we need to change the SELinux type of the /git1 directory from "system_u:object_r:default_t" to "unconfined_u:object_r:user_home_dir_t" recursively:
Firstly, we need to change it temporary to found out if it works or not:
Use the ec2-user's home directory as a reference:
chcon -R --reference=/home/ec2-user/ /git1/
Delete the .ssh directory and recreate again and put the key in .ssh/authorized_keys file. the new .ssh directory and authorized_keys will be labeled correctly this time.
To make sure the new label will not change neither by package manager nor the during the relabeling the file system.
Use the ec2-user's home directory as a reference again:
semanage fcontext -a -e /home/ec2-user /git1
restorecon -Rv /git1