Re: Q: respecting .ssh/id_rsa

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



True true. I was just trying to keep it simple. Most people I deal with, I don't have time to explain rules. 


-----Original Message-----
From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of James Hogarth
Sent: Saturday, May 09, 2015 1:47 AM
To: CentOS mailing list
Subject: Re:  Q: respecting .ssh/id_rsa

On 8 May 2015 20:41, "Conley, Matthew M CTR GXM" < matthew.m.conley1.ctr@xxxxxxxx> wrote:
>
> chmod 0700 .ssh
> chmod 0600 .ssh/*
>
> Keys can fail if you don't have that setup correctly.
> Also do:
> grep sshd /var/log/audit/audit.log| audit2allow -m sshd # Will let you 
> see what modules it will create.
> grep sshd /var/log/audit/audit.log| audit2allow -M sshd # Creates the 
> modules
>
> semodule -I sshd.pp
>
> grep ssh /var/log/audit/audit.log| audit2allow -m ssh # Will let you 
> see what modules it will create.
> grep ssh /var/log/audit/audit.log| audit2allow -M ssh # Creates the 
> modules
>
> semodule -I ssh.pp
>
> sshd is the server; ssh is the client.
>
>

<cleveland>No no no no nooooo </Cleveland>

Blindly running audit2allow and creating modules weakens your security not enhances it.

If you have not messed up your labeling then SSH will have no problem reading keys - SSH keys are fully supported under the policy shipped with CentOS.

If you are mounting your home elsewhere do:

semanage fcontext -a -e /home /mynewspecialhome

restorecon -Rv  /mynewspecialhome

That will fix any selinux labelling issues of your home directories properly.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux