[CentOS] SELinux context for ssh host keys?

James B. Byrne

byrnejb at harte-lyne.ca
Mon Feb 9 17:14:45 UTC 2015


I generated a new host key for one of our systems using:


ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key_4096

I then ran 'ls -Z on the keys'


ll -Z *key*
-rw-------. root root system_u:object_r:sshd_key_t:s0  ssh_host_dsa_key
-rw-r--r--. root root system_u:object_r:sshd_key_t:s0 
ssh_host_dsa_key.pub
-rw-------. root root system_u:object_r:sshd_key_t:s0  ssh_host_key
-rw-r--r--. root root system_u:object_r:sshd_key_t:s0  ssh_host_key.pub
-rw-------. root root system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key
-rw-------. root root unconfined_u:object_r:sshd_key_t:s0
ssh_host_rsa_key_4096
-rw-r--r--. root root unconfined_u:object_r:sshd_key_t:s0
ssh_host_rsa_key_4096.pub
-rw-r--r--. root root system_u:object_r:sshd_key_t:s0 
ssh_host_rsa_key.pub

As it seems odd, to me, that all the other files had a system_u user
while the new had unconfined_u.  So, I decided to run restorecon -v to
presumably set the SELinux user correctly for the new keys:  But that
is not what happened:

restorecon -v *

restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context
unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0

restorecon reset /etc/ssh/ssh_host_rsa_key_4096.pub context
unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0

As you can see, not only did the user not get set to system_u but the
type was changed to etc_t.

Why were the new key files changed from sshd_key_t types to the
generic etc_t types?  Why was the user not changed in either case from
unconfined_u to system_u or vice versa?

There is no REQUIREMENT that a host key have a particular file name is
there?  The sshd_config provides for setting one explicitly and doing
so seems to cause no problems with ssh connections that I have yet
encountered.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3




More information about the CentOS mailing list