search for: ssh_host_rsa_key_4096

I generated a new host key for one of our systems using: ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key_4096 I then ran 'ls -Z on the keys' ll -Z *key* -rw-------. root root system_u:object_r:sshd_key_t:s0 ssh_host_dsa_key -rw-r--r--. root root system_u:object_r:sshd_key_t:s0 ssh_host_dsa_key.pub -rw-------. root root system_u:object_r:sshd_key_t:s0 ssh_host_key -rw-r--r--. root root system_...

On 02/09/2015 11:14 AM, James B. Byrne wrote: > So, I decided to run restorecon -v to > presumably set the SELinux user correctly for the new keys: But that > is not what happened: > > restorecon -v * > > restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context > unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0 > > restorecon reset /etc/ssh/ssh_host_rsa_key_4096.pub context > unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0 > > As you can see, not only did the user not get set to system...

> On Feb 9, 2015, at 12:27 PM, Robert Nichols <rnicholsNOSPAM at comcast.net> wrote: > > On 02/09/2015 11:14 AM, James B. Byrne wrote: >> So, I decided to run restorecon -v to >> ... >> restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context >> unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0 >> ... >> There is no REQUIREMENT that a host key have a particular file name is >> there? The sshd_config provides for setting one explicitly and doing >> so seems to cause no problems...

...15, at 12:27 PM, Robert Nichols >> <rnicholsNOSPAM at comcast.net> >> wrote: >> > >> > On 02/09/2015 11:14 AM, James B. Byrne wrote: >> >> So, I decided to run restorecon -v to >> >> >> ... >> >> restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context >> >> unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0 >> > > Why are you putting your SSH key in /etc/ ? > > With SELinux its normally better to go with the flow. find out which > directories have the desired label and keep your object...