O mais provável é que o contexto do arquivo .ssh
e .ssh/authorized_keys
esteja errado. Faça um sudo restorecon -R -v /home/zenoss/.ssh
e tente novamente.
Eu escrevi este script que agora funciona perfeitamente em sistemas sem o SElinux instalado.
echo Enter server IP:
read server
scp /home/Zenoss/.ssh/authorized_keys random@$server:/home/random
sshpass -p randompassword ssh -t random@$server sudo -i 'useradd zenoss; sudo mkdir /home/zenoss/.ssh; sudo mv /home/random/authorized_keys /home/zenoss/.ssh/;
sudo chmod 700 /home/zenoss/.ssh;
sudo chmod 600 /home/zenoss/.ssh/authorized_keys;
sudo chown -R zenoss /home/zenoss/.ssh;
sudo chgrp -R zenoss /home/zenoss/.ssh;
exit'
Portanto, nos servidores sem o SElinux, o script funciona e, em seguida, o Zenoss pode efetuar login no servidor remoto via SSH e iniciar o monitoramento. No entanto, em sistemas com o SELinux ativado, o script funciona, mas o Zenoss não pode conectar o SSH ao servidor remoto, a informação de depuração mostra que ele não está vendo o arquivo authorized_keys que foi configurado com sucesso.
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to ***** port 22.
debug1: Connection established.
debug1: identity file /home/zenoss/.ssh/id_rsa type 1
debug1: identity file /home/zenoss/.ssh/id_rsa-cert type -1
debug1: identity file /home/zenoss/.ssh/id_dsa type 2
debug1: identity file /home/zenoss/.ssh/id_dsa-cert type -1
debug1: identity file /home/zenoss/.ssh/id_ecdsa type -1
debug1: identity file /home/zenoss/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/zenoss/.ssh/id_ed25519 type -1
debug1: identity file /home/zenoss/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: kex: [email protected] need=16 dh_need=16
debug1: kex: [email protected] need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ***************
The authenticity of host '******' can't be established.
ECDSA key fingerprint is **************************
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '*******' (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/zenoss/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering DSA public key: /home/zenoss/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/zenoss/.ssh/id_ecdsa
debug1: Trying private key: /home/zenoss/.ssh/id_ed25519
debug1: Next authentication method: password
zenoss@****s password:
Alguém sabe o que causa isso e como posso contorná-lo, desabilitando o SELinux não é uma opção.
KR