Comments (4)
jbernard
commented on July 19, 2024
I am not sure this is accurate, the configuration you describe to not be supported doesn't make sense theoretically, and works without problem here. If you can provide additional information from your failed ssh session with -v, perhaps we can sort out what's going wrong.
from dotfiles.
superjamie
commented on July 19, 2024
The client just gets a pubkey denial.
The failure is because the sshd gets an SELinux denial when reading the symlink:
kernel: [348559.065610] audit: type=1400 audit(1414066264.747:21819): avc: denied { read } for pid=12588 comm="sshd" name=".ssh" dev="dm-1" ino=16777244 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=lnk_file permissive=0
kernel: audit: type=1400 audit(1414066264.747:21819): avc: denied { read } for pid=12588 comm="sshd" name=".ssh" dev="dm-1" ino=16777244 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=lnk_file permissive=0
The sshd's debug logs confirm this:
sshd[18683]: debug1: trying public key file /home/superjamie/.ssh/authorized_keys
sshd[18683]: debug1: Could not open authorized keys '/home/superjamie/.ssh/authorized_keys': Permission denied
After symlink, the files end up with a user_home_t security context:
$ ls -alZ .ssh
lrwxrwxrwx. superjamie superjamie unconfined_u:object_r:ssh_home_t:s0 .ssh -> /home/superjamie/Dropbox/dotfiles/ssh
$ ls -alZ .ssh/
drwx------. superjamie superjamie unconfined_u:object_r:user_home_t:s0 .
drwx------. superjamie superjamie unconfined_u:object_r:file_t:s0 ..
-rw-------. superjamie superjamie unconfined_u:object_r:user_home_t:s0 authorized_keys
-rw-------. superjamie superjamie unconfined_u:object_r:user_home_t:s0 config
-rw-------. superjamie superjamie unconfined_u:object_r:user_home_t:s0 id_rsa
-rw-------. superjamie superjamie unconfined_u:object_r:user_home_t:s0 id_rsa.pub
-rw-------. superjamie superjamie unconfined_u:object_r:user_home_t:s0 known_hosts
$ ssh localhost "echo hello"
Permission denied (publickey).
However changing them to ssh_home_t does not fix it:
$ chcon -Rv -t ssh_home_t .ssh/
changing security context of ‘.ssh/config’
changing security context of ‘.ssh/known_hosts’
changing security context of ‘.ssh/authorized_keys’
changing security context of ‘.ssh/id_rsa.pub’
changing security context of ‘.ssh/id_rsa’
changing security context of ‘.ssh/’
$ ls -alZ .ssh/
drwx------. superjamie superjamie unconfined_u:object_r:ssh_home_t:s0 .
drwx------. superjamie superjamie unconfined_u:object_r:file_t:s0 ..
-rw-------. superjamie superjamie unconfined_u:object_r:ssh_home_t:s0 authorized_keys
-rw-------. superjamie superjamie unconfined_u:object_r:ssh_home_t:s0 config
-rw-------. superjamie superjamie unconfined_u:object_r:ssh_home_t:s0 id_rsa
-rw-------. superjamie superjamie unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub
-rw-------. superjamie superjamie unconfined_u:object_r:ssh_home_t:s0 known_hosts
$ ssh localhost "echo hello"
Permission denied (publickey).
If I remove the absolute symlink created by dotfiles, and change this to a relative symlink, it works:
$ rm .ssh
$ ln -s Dropbox/dotfiles-home/ssh .ssh
$ ls -alZ .ssh
lrwxrwxrwx. superjamie superjamie unconfined_u:object_r:file_t:s0 .ssh -> Dropbox/dotfiles-home/ssh
$ restorecon -Rv .ssh
restorecon reset /home/superjamie/.ssh context unconfined_u:object_r:file_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/superjamie/Dropbox/dotfiles/ssh context unconfined_u:object_r:ssh_home_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/superjamie/Dropbox/dotfiles/ssh/config context unconfined_u:object_r:ssh_home_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/superjamie/Dropbox/dotfiles/ssh/known_hosts context unconfined_u:object_r:ssh_home_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/superjamie/Dropbox/dotfiles/ssh/authorized_keys context unconfined_u:object_r:ssh_home_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/superjamie/Dropbox/dotfiles/ssh/id_rsa.pub context unconfined_u:object_r:ssh_home_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/superjamie/Dropbox/dotfiles/ssh/id_rsa context unconfined_u:object_r:ssh_home_t:s0->unconfined_u:object_r:user_home_t:s0
$ ssh localhost "echo hello"
hello
I guess this is because sshd gets a denied read to /home (which is file_t) when it tries to resolve the absolute symlink? I'm not really sure though, and I've just observed that a relative symlink can fix it.
Edit: Actually leave this with me, I'll ask around at work and see if I can resolve it with SELinux instead.
from dotfiles.
jbernard
commented on July 19, 2024
Very interesting, I should have learned by now when something makes no sense at all to consider selinux, this happens surprisingly often. Thanks for the analysis, and let me know if you discover a solution. Relative symlinks shouldn't be particularly difficult to support - if I can find a reasonable amount of time to hack on it. Another benefit is it allows $HOME to be mounted in an unexpected location without breaking all of the symlinks.
from dotfiles.
superjamie
commented on July 19, 2024
I figured this out, it was my fault.
/home had file_t and not home_root_t.
An absolute symlink works fine now, this Issue can be ignored.
Thanks for your quick response all the same, and many thanks for dotfiles!
from dotfiles.
Related Issues (20)
- Logo needed HOT 4
- Use built-in exceptions HOT 2
- Support for encryption HOT 2
- Adding support for non-dot config files HOT 5
- `dotfile sync --force` removes `.config`. HOT 3
- Resolve env variables in .dotfilesrc HOT 1
- Is this repository unmaintained? HOT 1
- Does master read .dotfilesrc? (Edited and summed up for those who think tl;dr) HOT 6
- No more Windows support since 48e781 HOT 4
- An example of why ignore or a list option is useful HOT 2
- Track dotfile not in main folder HOT 11
- master and symlinks HOT 2
- Is an AUR update possible? HOT 2
- How to link non prefixed files not in the home directory? HOT 3
- Horrible! HOT 2
- Feature/Bug: -f clobbers HOT 2
- Request: Update version uploaded to pip HOT 3
- Bug: Hanging link left hanging after sync HOT 2
- End up with .git in my home directory HOT 5
- Maybe not working on 3.12 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dotfiles.