If you have ever added your SSH key to an authorised_keys file on server running SELinux, but for some reason you still can’t connect with your key, then it may be because the SELinux contexts have not been correctly set on the .ssh folder and authorized keys file. This normally causes the following error on your ssh client:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
And you may see an error in the audit log (/var/log/audit/audit.log) on the server..
type=AVC msg=audit(1358012203.073:43414): avc: denied { read } for pid=5945 comm=”sshd” name=”authorized_keys” dev=dm-1 ino=25583 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
The way to fix this is to run…
restorecon -R -v /root/.ssh
… substituting /root/ if necessary for the relevant home dir.
How to setup SSH public key authentication with SELinux enabled
The full steps to setup an authorized keys file from scratch would therefore be:
1) Create the .ssh folder
mkdir -p /root/.ssh
chmod 755 /root/.ssh/
2) Set up the authorized_keys file (remember to paste in the relevant key in vim)
vim /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
3) Fix the SELinux file contexts
restorecon -R -v /root/.ssh
Great article Paul. Just one thing I would say is that when u say
“… substituting root if necessary for the relevant username.”
I think u mean ‘relevant home dir’ as most non-root users will have a home dir like /home/ben and not /ben. 🙂
Thanks Ben – I’ve updated the post to fix this 🙂
Thank you for posting this.
You’re welcome 🙂
thanks for how to