Re: ssh by user amandabackup [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2011-01-02 at 09:45 -0500, Matthew Saltzman wrote: 
> On Sun, 2011-01-02 at 00:14 -0800, Gordon Messmer wrote: 
> > On 01/01/2011 05:14 PM, Matthew Saltzman wrote:
> > >
> > > ssh with keys by a normal user works fine.  No error messages to be
> > > found in /var/log/secure on the client or with ssh -v on the server.
> > 
> > Does the output from "ssh -v" indicate that the correct key file is 
> > being offered?
> > 
> 
> Yes.  The relevant lines from ssh -v are
> 
>         debug1: Next authentication method: publickey
>         debug1: Offering public key: /var/lib/amanda/.ssh/id_rsa
>         debug1: Authentications that can continue:
>         publickey,gssapi-keyex,gssapi-with-mic,password
>         debug1: Trying private key: /var/lib/amanda/.ssh/id_dsa
>         debug1: Next authentication method: password
>         amandabackup@client's password: 
> 
> So the key is being offered, but there is no acknowledgment from the
> client and no indication of any problem in the client's /var/log/secure.
> 
> Aha! In /var/log/messages, on the other hand, this happens:
> 
>         Jan  2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
>         Jan  2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
> 
> The full SELinux message is
> 
>         $ sudo sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
>         SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda.
>         
>         *****  Plugin catchall (100. confidence) suggests  ***************************
>         
>         If you believe that sshd should be allowed search access on the amanda directory by default.
>         Then you should report this as a bug.
>         You can generate a local policy module to allow this access.
>         Do allow this access for now by executing:
>         # grep /usr/sbin/sshd /var/log/audit/audit.log | audit2allow -M mypol
>         # semodule -i mypol.pp
>         
> So I will file the bug.

https://bugzilla.redhat.com/show_bug.cgi?id=666722

-- 
                Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux