View Issue Details

IDProjectCategoryView StatusLast Update
0000297AlmaLinux-9Generalpublic2022-12-09 23:19
Reporterspwz Assigned Toelkhan  
PriorityhighSeveritymajorReproducibilityalways
Status assignedResolutionopen 
Platformx86_64 on AWSOSalmalinuxOS Version9.0
Summary0000297: AlmaLinux OS 9 (x86_64) on AWS doesn't support ssh access to user with customized home directory
DescriptionTested images in ap-southeast-2 (AMI ID: ami-093bbccf3fc2c0bd9) and eu-central-1 (AMI ID: ami-0826456de815d0e9e). AMI name is AMI name: AlmaLinux OS 9.0.20220715 x86_64-3c74c2ba-21a2-4dc1-a65d-fd0ee7d79900

AlmaLinux OS 9 (x86_64) on AWS doesn't support ssh access with keys to a user with customized home directory other than default /home/<username>

client side reports error : "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)."
Steps To ReproduceOperations:
1. logged in as ec2-user and "sudo su" as root
2. create user with "useradd git1 -d /git1"
3. "su - git1"
4. create .ssh folder and authorized_keys file copied from /home/ec2-user/.ssh/authorized_keys. (the pub key here should be valid as it's for ec2-user as well).
5. Unable to use the matching private key to ssh as user git1
6. switched off selinux doesn't work either. authorized_keys file has access right as 600, the same as that for ec2-user

Note:
1. This same operation is OK for almalinux 8.6 EC2 instance in AWS
2. Using other user name has the same result.
TagsNo tags attached.

Activities

elkhan

2022-12-09 23:19

developer   ~0000762

Hi spwz,

It's a upstream behavior, not AlmaLinux OS specific. Which is present in RHEL 9.1 too.

But I can propose some steps for your:

1. Get the SELinux audit log:
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent

As we can see from the output source the sshd process and target the /git1/.ssh/authorized_keys are not sharing same SELinux labels.

scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:default_t:s0

Since you created git1 user's home not inside the /home as /home/ec2-user, they have different SELinux labels.


Therefore we need to change the SELinux type of the /git1 directory from "system_u:object_r:default_t" to "unconfined_u:object_r:user_home_dir_t" recursively:

Firstly, we need to change it temporary to found out if it works or not:

Use the ec2-user's home directory as a reference:

chcon -R --reference=/home/ec2-user/ /git1/

Delete the .ssh directory and recreate again and put the key in .ssh/authorized_keys file. the new .ssh directory and authorized_keys will be labeled correctly this time.

Permanently:
To make sure the new label will not change neither by package manager nor the during the relabeling the file system.

Use the ec2-user's home directory as a reference again:

semanage fcontext -a -e /home/ec2-user /git1

restorecon -Rv /git1

Issue History

Date Modified Username Field Change
2022-08-31 11:52 spwz New Issue
2022-09-27 12:36 elkhan Assigned To => elkhan
2022-09-27 12:36 elkhan Status new => assigned
2022-12-09 23:19 elkhan Note Added: 0000762