Monday, June 25, 2012
Getting bitten by SELinux and sshd authorized_keys
TL;DR: If you can't ssh using a public key, it could be a SELinux thing.
Logging in to a server with ssh using your public key is pretty handy. While setting up an OEL 6 VM I ran into a strange error where sshd would not let me log in with a public key, even though my key was in ~oracle/.ssh/authorized_keys. Password logins worked just fine.
Somewhat puzzling: I could ssh into the root account using my public key and without a password.
Nine times out of ten, this is a permission problem. Sshd is picky about the permissions on your home directory, ~/.ssh, and the authorized_keys file. I carefully checked this over - but in this instance permissions were not the problem.
The standard advice to debug SSH problems is to run sshd in the foreground with debugging turned on:
service sshd stop
And of course my problem promptly disappeared. Hmmm, so it works in debug mode, but not when running as a daemon. It also works fine to ssh into the root account, but not ~oracle.
My initial google-fu skills were weak, but on a hunch I googled "sshd SELinux".
In my case disabling SELinux did the trick (not good for production, but acceptable for my purposes).