ssh publickey passwordless doesn't work with Fedora 7, 8

qianglu · #1 13th November 2007, 11:40 PM

Sorry for using a big title. I can set up the passwordless publickey
ssh on Fedora 4. But cannot on Fedora 7 and 8.

The routine method describe as follows:

local:
ssh-keygen -t dsa
and enter no password to generate id_dsa and id_dsa.pub
cat the id_dsa.pub to the server's authorized_keys
chmod 400 id_dsa id_dsa.pub locally
chmod 600 authorized_keys on the server
The .ssh directory has mode 700

The sshd_config is the same as the one on Fedora 4 server which can access the
passwordless publickey login. Also tried many different options in sshd_config.

did /etc/init.d/sshd restart

The ssh -vvv server gives

debug1: Next authentication method: publickey
debug1: Trying private key: /Users/qianglu/.ssh/identity
debug3: no such identity: /Users/qianglu/.ssh/identity
debug1: Trying private key: /Users/qianglu/.ssh/id_rsa
debug3: no such identity: /Users/qianglu/.ssh/id_rsa
debug1: Offering public key: /Users/qianglu/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password

No response in /var/log/messages

Just wonder does it have anything to do with the LDAP authentication.

Any help would be appreciated.

cicatrix1 · #2 14th November 2007, 01:23 AM

I had it working fine in FC7. I recently upgraded it to 8 and haven't put my backups back in place, however. I'll let you know how it looks in 8. I remember just following standard guides to get it to work in 7. The only thing I see as different is that my authorized_keys file is under my users ~/.ssh directory.

zilch321 · #3 14th November 2007, 03:09 AM

name the file .ssh/authorized_keys2. See if that fixes it.

zilch321 · #4 14th November 2007, 03:15 AM

Also, look in /var/log/security. You'll have better luck with auth issues searching that log.

icydog · #5 14th November 2007, 04:16 AM

It seems like your client is working properly, but the server isn't accepting the key for some reason. Can you post sshd_config?

qianglu · #6 14th November 2007, 04:30 AM

Thank you so much for so many quick replies.

The uncommented sshd_config options are as follows:

SyslogFacility AUTHPRIV
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
########################################

Tried .ssh/authorized_keys2, didn't work.
The authorized_keys was in ~/.ssh

The server doesn't have /var/log/security but it has /var/log/secure
which has no change just after ssh from client before typing password.

icydog · #7 14th November 2007, 07:20 AM

That's weird... I have the same options set on F8 and it works fine. Does /var/log/messages have anything about SELinux?

qianglu · #8 14th November 2007, 05:23 PM

Thanks for icydog, I found the reason. Once I switch SELinux to permissive,
I can ssh without password. But got the following SELinux message.
After I switch SELinux back to enforced, I cannot ssh without password.

So the problem become how to label the file system.

Summary
SELinux is preventing access to files with the label, file_t.

Detailed Description
SELinux permission checks on files labeled file_t are being denied. file_t
is the context the SELinux kernel gives to files that do not have a label.
This indicates a serious labeling problem. No files on an SELinux box should
ever be labeled file_t. If you have just added a new disk drive to the
system you can relabel it using the restorecon command. Otherwise you
should relabel the entire files system.

Allowing Access
You can execute the following command as root to relabel your computer
system: "touch /.autorelabel; reboot"

Additional Information

Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:object_r:file_t:s0
Target Objects None [ dir ]
Affected RPM Packages openssh-server-4.7p1-2.fc8 [application]
Policy RPM selinux-policy-3.0.8-47.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.file
Host Name dh051-116.chem.sunysb.edu
Platform Linux dh051-116.chem.sunysb.edu 2.6.23.1-49.fc8 #1
SMP Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 11
First Seen Tue 13 Nov 2007 10:24:28 AM EST
Last Seen Wed 14 Nov 2007 11:57:42 AM EST
Local ID 07d92b16-7ef5-4544-b32f-4edbfaf02ff4
Line Numbers

Raw Audit Messages

avc: denied { search } for comm=sshd dev=dm-0 egid=500 euid=500
exe=/usr/sbin/sshd exit=-2 fsgid=500 fsuid=500 gid=0 items=0 name=.ssh pid=2910
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=0

icydog · #9 15th November 2007, 04:45 PM

I think doing "touch /.autorelabel; reboot" will fix the problem. It seems like maybe the root is labeled incorrectly or something?

qianglu · #10 15th November 2007, 04:50 PM

After relabel the file system, the problem was gone. Now the ssh login normally.
Thanks for the help.