Re: Q: respecting .ssh/id_rsa

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



chmod 0700 .ssh
chmod 0600 .ssh/* 

Keys can fail if you don't have that setup correctly. 
Also do:
grep sshd /var/log/audit/audit.log| audit2allow -m sshd
# Will let you see what modules it will create.
grep sshd /var/log/audit/audit.log| audit2allow -M sshd
# Creates the modules

semodule -I sshd.pp

grep ssh /var/log/audit/audit.log| audit2allow -m ssh
# Will let you see what modules it will create.
grep ssh /var/log/audit/audit.log| audit2allow -M ssh
# Creates the modules

semodule -I ssh.pp

sshd is the server; ssh is the client. 


Regards

Matthew M. Conley
Linux Administrator / IA
AECOM
Linux+, Security+, Network+, LPIC1, EMT, FF1



-----Original Message-----
From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Kirk Bocek
Sent: Friday, May 08, 2015 11:28 AM
To: CentOS mailing list
Subject: Re:  Q: respecting .ssh/id_rsa



On 5/8/2015 7:22 AM, Valeri Galtsev wrote:
> On Fri, May 8, 2015 8:58 am, James B. Byrne wrote:
>> While attempting to debug something else I ran across this:
>>
>> ssh -vvv somehost
>> . . .
>> debug1: Connection established.
>> debug1: permanently_set_uid: 0/0
>> debug1: identity file /root/.ssh/identity type -1
>> debug1: identity file /root/.ssh/identity-cert type -1
>> debug3: Not a RSA1 key file /root/.ssh/id_rsa.
>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>> debug3: key_read: missing keytype
>> debug3: key_read: missing whitespace
>> . . .
>>
>> However if I verify the key I see this:
>>
>> ssh-keygen -l -f ~/.ssh/id_rsa.pub
>> 4096 08:70:3b:92:4c:96:1c:6a:03:a4:ae:66:8d:9e:6c:93
>> /root/.ssh/id_rsa.pub (RSA)
>>
>> Which seems ok to me. The permissions also seem ok:
>>
>> .ssh]# ll
>> total 40
>> -rw-------. 1 root root  3863 Oct 11  2012 authorized_keys 
>> -rw-------. 1 root root  3243 Aug  9  2012 id_rsa
>> -rw-r--r--. 1 root root   757 Aug  9  2012 id_rsa.pub
>> -rw-r--r--. 1 root root 11071 May  8 09:42 known_hosts
> When checking permissions don't forget to check permissions on parent 
> directories (all levels up to the /). E.g., if your home directory is 
> world writable, ssh will ignore authorized_keys as well, as the above 
> permissions _can_ be changed by everybody. The same is true if / is 
> ridiculously world writable (I've never seen that myself, but I do mean:
> check all levels of what the path ~/.ssh is).
>
> It's not clear from your description, but I'm sure you have the 
> following
> right: id_rsa and id_rsa.pub is a pair you have on local machine (the 
> one you ssh from). autorized_keys is on the remote machine (the one 
> you connect to), and it contains the contents of id_rsa.pub that you 
> have on local machine (i.e. you copied id_rsa.pub from local machine 
> to remote and dumped it into ~/.ssh/autorized_keys on it).
>
> I would also check that in sshd config file (usually:
> /etc/ssh/sshd_config) on remote machine you do have line
>
> PubkeyAuthentication yes
>
> Good luck!
>
> Valeri
>
>> The password-less connections complete in any case but I am perplexed 
>> as to what is the problem with the root identity key that ssh is 
>> reporting.
>>
>> Can anyone explain to me what this means?
>>
>>

Also check that the selinux context on all files and directories are set to "ssh_home_t".

 From the home dir:

#chcon -R -t ssh_home_t .ssh

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux