[CentOS] Q: respecting .ssh/id_rsa

Mon May 11 13:22:20 UTC 2015
Conley, Matthew M CTR GXM <matthew.m.conley1.ctr at navy.mil>

True true. I was just trying to keep it simple. Most people I deal with, I don't have time to explain rules. 

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of James Hogarth
Sent: Saturday, May 09, 2015 1:47 AM
To: CentOS mailing list
Subject: Re: [CentOS] Q: respecting .ssh/id_rsa

On 8 May 2015 20:41, "Conley, Matthew M CTR GXM" < matthew.m.conley1.ctr at navy.mil> wrote:
> chmod 0700 .ssh
> chmod 0600 .ssh/*
> Keys can fail if you don't have that setup correctly.
> Also do:
> grep sshd /var/log/audit/audit.log| audit2allow -m sshd # Will let you 
> see what modules it will create.
> grep sshd /var/log/audit/audit.log| audit2allow -M sshd # Creates the 
> modules
> semodule -I sshd.pp
> grep ssh /var/log/audit/audit.log| audit2allow -m ssh # Will let you 
> see what modules it will create.
> grep ssh /var/log/audit/audit.log| audit2allow -M ssh # Creates the 
> modules
> semodule -I ssh.pp
> sshd is the server; ssh is the client.

<cleveland>No no no no nooooo </Cleveland>

Blindly running audit2allow and creating modules weakens your security not enhances it.

If you have not messed up your labeling then SSH will have no problem reading keys - SSH keys are fully supported under the policy shipped with CentOS.

If you are mounting your home elsewhere do:

semanage fcontext -a -e /home /mynewspecialhome

restorecon -Rv  /mynewspecialhome

That will fix any selinux labelling issues of your home directories properly.
CentOS mailing list
CentOS at centos.org