5

I have an issue that drives me crazy... I try to fix it for at least 2 hours now - and I was not very successful.

Issue itself: I installed CentoS7 (I don't know if it's a CentOs 7 specific behaviour) on a VM that is supposed to host our git and gitolite environment. I installed required services and users. Everything is running fine and I'm able to conect via SSH with password and keybased authentication. All users have their home directory in /home/. Now, I would like to add a new user (git) with /srv/data/home/git (/srv is on a separate partition) as home directory and enable key based authentication. Both partitions are ext4 formatted.

grep git /etc/passwd
git:x:1000:1000::/srv/data/home/git:/bin/bash

I installed gitolite and created the user accordingly to the official documentation: 

su - git 
mkdir -p ~/.ssh
chmod 700 ~/.ssh
mkdir gitclone-dir 
cd gitclone-dir
git clone git://github.com/sitaramc/gitolite
cd gitclone-dir
gitolite/install -ln ~/bin
gitolite setup -pk /srv/data/home/git/.ssh/git_admin.pub

Output of the gitolite setup command was:

Initialized empty Git repository in /srv/data/home/git/repositories/gitolite-admin.git/ Initialized empty Git repository in /srv/data/home/git/repositories/testing.git/ WARNING: /srv/data/home/git/.ssh/authorized_keys missing; creating a new one (this is normal on a brand new install)

Next step includes a clone of the gitolite-admin repository which continuously fails: 

marcel@mw-ws:~/Sources/juwimm_git/ayeq-benu$ git ls-remote git@192.168.10.35:gitolite-admin.git
git@192.168.10.35's password: 
X11 forwarding request failed on channel 0
fatal: 'gitolite-admin.git' does not appear to be a git repository
fatal: The remote end hung up unexpectedly

Please follow this link to see the whole debug3 log: http://pastebin.com/eiZSTu55

Most important lines: 

Jul 18 17:45:40 bh-infra-s010 sshd[2739]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
Jul 18 17:45:40 bh-infra-s010 sshd[2739]: debug1: trying public key file /srv/data/home/git/.ssh/authorized_keys
Jul 18 17:45:40 bh-infra-s010 sshd[2739]: debug1: Could not open authorized keys '/srv/data/home/git/.ssh/authorized_keys': Permission denied

Now, I made some checks: 

su - root 
cat /srv/data/home/git/.ssh/authorized_keys 
# the statement above works fine and I see the files content on the command line 
su - git
cat /srv/data/home/git/.ssh/authorized_keys 
# with the same result. It's working fine

I made some more tests. Find a summary of my testcases below: - created an user with /home/testuser as home-directory, repeated the steps for the .ssh-directory and moved my pub key to it. Result: Working fine! - created an user with /srv/testuser2 as home-directory and did exactly the same as above. Result: Permission denied on the authorized_keys file - created a new user with /home/testuserls as home dir and repeated the steps for the .ssh directory. Now I created a symlink from /home/testuser3 to /home/testuserls and modified /etc/passwd to set /home/testuser3 as home dir for this user. Result: works fine! - created a new user with /srv/testuser4 as home dir, put in the .ssh folder and created a symlink from /home/testuser4 to /srv/testuser4 and modified /etc/passwd once again to map his home directory to /home/testuser4. Result: Permission denied

ls -l /srv/data/home/git/.ssh/

This gives me: 

total 16
-rw-------. 1 git git 1108 Jul 18 16:28 authorized_keys
-rw-------. 1 git git 1679 Jul 18 13:31 id_rsa
-rw-------. 1 git git  399 Jul 18 13:31 id_rsa.pub

I don't have any idea why this happens and how to fix this. Is it CentOS7 related? Am I blind or even stupid? Is this a new restriction from the ssh daemon in version openssh-server-6.4p1-8.el7.x86_64? I did not found any similiar issue on google or this side and was not able to find any solution... Any help would be really appreciated!

UPDATE I All partitions (except for swap ofcourse) are formatted as ext4. The respective lines from /etc/mtab are:

/dev/vda1 /boot ext4 rw,seclabel,relatime,data=ordered 0 0 
/dev/vda2 / ext4 rw,seclabel,relatime,data=ordered 0 0 
/dev/vdb1 /srv ext4 rw,seclabel,relatime,data=ordered 0 0

I don't use any ACL. Otherwise, it should be listed as mount options in the lines above, right? UID 1000 is the UID of user git.

grep git /etc/passwd git:x:1000:1000::/srv/data/home/git:/bin/bash

Let's check the permissions beginning at / 

/srv: drwxr-xr-x. 10 root root 4096 Jul 18 16:48 srv 
/srv/data: drwxr-xr-x. 3 root root 4096 Jul 18 12:25 data 
/srv/data/home: drwxr-xr-x. 4 root root 4096 Jul 18 16:45 home 
/srv/data/home/git: drwx------. 7 git git 4096 Jul 18 15:30 git 
/srv/data/home/git/.ssh: drwxr-----. 2 git git 4096 Jul 18 16:40 .ssh

** UPDATE II - FIXED **

It turned out that selinux was activated. The issue was fixed by the following command on the .ssh-Folder: 

chcon -R --type=ssh_home_t .ssh
winem
  • 68
  • 1
  • 6
  • What kind of file system is /srv on? Does it support ACL? Who is uid 1000? What are the permissions of all directories from root all the way down to the home directory? – alvits Jul 18 '14 at 19:22
  • @alvits Please take a look at the original post. I made an update to answer your questions. – winem Jul 18 '14 at 20:51
  • 1
    `selinux` seems to be enabled. Can you run `ls -Z /srv/data/home`? You should see `user_home_dir_t` in the context. If it isn't there, you have to set it. The parent directory should have `home_root_t`. – alvits Jul 18 '14 at 21:05
  • ls -Z says unconfined_u:object_r:var_t:s0 for /srv/data/home/git. So it looks like you're on the right way. Thank you so much for the tip with selinux. I never used this before. Unfortunately, hardened linux kernel were no topic at this company until now. It's one of the things I'd like to change. I will continue with the research on documentation about selinux. Can you tell me how to set the required user_home_dir_t? – winem Jul 18 '14 at 21:14
  • 1
    You can use `chcon` to set context of path (directoies and files). You can also use `restorecon` to restore context. The utility is used in the same manner you would use `chmod`/`chown` utilities. – alvits Jul 18 '14 at 21:51
  • I would suggest you get the contexts from the working home directories and create a similar context in the new home directories `/srv/.../...`. This will ensure the you have the proper context. I should also point out that .ssh directory and its files have `ssh_home_t` context. – alvits Jul 18 '14 at 22:08
  • @alvits Thank you so much! It was fixed by chcon chcon -R --type=ssh_home_t .ssh (.ssh in /srv/data/home/git). I'm so happy to know that this is fixed now. – winem Jul 18 '14 at 22:34
  • I'm just happy to have helped. :) – alvits Jul 18 '14 at 22:57
  • It's works on CentOS 6.5 too. Thanks! – Ben Nov 11 '14 at 05:16

0 Answers0