L'authentification par clé publique SSH ne fonctionne pas uniquement sur un utilisateur spécial

Question

Je n'arrive pas à configurer l'authentification par clé publique pour un serveur SSH sur CentOS 6.8. Ce qui est étrange, c'est que lorsque je me connecte avec un utilisateur postgres, ça se passe bien, mais quand je me connecte avec l'utilisateur 'barman' qui est créé automatiquement en installant barman, il faut toujours un mot de passe.

Le répertoire personnel de l'utilisateur 'postgres' et le répertoire de base de l'utilisateur de Barman se trouvent dans le même dossier. Je pense que le problème n'a rien à voir avec la config sshd, a essayé de définir le chemin d'accès du barman, le chemin .ssh et l'autorisation de authorized_keys tout comme postgres. Mais ça ne marche toujours pas. C'est ce que je reçois après l'exécution ssh localhost -vvv:

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 
    debug1: Reading configuration data /etc/ssh/ssh_config 
    debug1: Applying options for * 
    debug2: ssh_connect: needpriv 0 
    debug1: Connecting to localhost [::1] port 22. 
    debug1: Connection established. 
    debug3: Not a RSA1 key file /var/lib/barman/.ssh/id_rsa. 
    debug2: key_type_from_name: unknown key type '-----BEGIN' 
    debug3: key_read: missing keytype 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug3: key_read: missing whitespace 
    debug2: key_type_from_name: unknown key type '-----END' 
    debug3: key_read: missing keytype 
    debug1: identity file /var/lib/barman/.ssh/id_rsa type 1 
    debug1: identity file /var/lib/barman/.ssh/id_rsa-cert type -1 
    debug1: Remote protocol version 2.0, remote software version     OpenSSH_5.3 
    debug1: match: OpenSSH_5.3 pat OpenSSH* 
    debug1: Enabling compatibility mode for protocol 2.0 
    debug1: Local version string SSH-2.0-OpenSSH_5.3 
    debug2: fd 3 setting O_NONBLOCK 
    debug1: SSH2_MSG_KEXINIT sent 
    debug3: Wrote 960 bytes for a total of 981 
    debug1: SSH2_MSG_KEXINIT received 
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-  sha1,diffie-hellman-group1-sha1 
    debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-  cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss 
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-  ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib 
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib 
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: first_kex_follows 0 
    debug2: kex_parse_kexinit: reserved 0 
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss 
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-  sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
    debug2: kex_parse_kexinit: none,zlib@openssh.com 
    debug2: kex_parse_kexinit: none,zlib@openssh.com 
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: first_kex_follows 0 
    debug2: kex_parse_kexinit: reserved 0 
    debug2: mac_setup: found hmac-md5 
    debug1: kex: server->client aes128-ctr hmac-md5 none 
    debug2: mac_setup: found hmac-md5 
    debug1: kex: client->server aes128-ctr hmac-md5 none 
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent 
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP 
    debug3: Wrote 24 bytes for a total of 1005 
    debug2: dh_gen_key: priv key bits set: 139/256 
    debug2: bits set: 514/1024 
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent 
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY 
    debug3: Wrote 144 bytes for a total of 1149 
    debug3: check_host_in_hostfile: host localhost filename /var/lib/barman/.ssh/known_hosts 
    debug3: check_host_in_hostfile: host localhost filename /var/lib/barman/.ssh/known_hosts 
    debug3: check_host_in_hostfile: match line 1 
    debug1: Host 'localhost' is known and matches the RSA host key. 
    debug1: Found key in /var/lib/barman/.ssh/known_hosts:1 
    debug2: bits set: 523/1024 
    debug1: ssh_rsa_verify: signature correct 
    debug2: kex_derive_keys 
    debug2: set_newkeys: mode 1 
    debug1: SSH2_MSG_NEWKEYS sent 
    debug1: expecting SSH2_MSG_NEWKEYS 
    debug3: Wrote 16 bytes for a total of 1165 
    debug2: set_newkeys: mode 0 
    debug1: SSH2_MSG_NEWKEYS received 
    debug1: SSH2_MSG_SERVICE_REQUEST sent 
    debug3: Wrote 48 bytes for a total of 1213 
    debug2: service_accept: ssh-userauth 
    debug1: SSH2_MSG_SERVICE_ACCEPT received 
    debug2: key: /var/lib/barman/.ssh/id_rsa (0x7f6ef1fcc740) 
    debug3: Wrote 64 bytes for a total of 1277 
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password 
    debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password 
    debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password 
    debug3: authmethod_lookup gssapi-keyex 
    debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password 
    debug3: authmethod_is_enabled gssapi-keyex 
    debug1: Next authentication method: gssapi-keyex 
    debug1: No valid Key exchange context 
    debug2: we did not send a packet, disable method 
    debug3: authmethod_lookup gssapi-with-mic 
    debug3: remaining preferred: publickey,keyboard-interactive,password 
    debug3: authmethod_is_enabled gssapi-with-mic 
    debug1: Next authentication method: gssapi-with-mic 
    debug3: Trying to reverse map address ::1. 
    debug1: Unspecified GSS failure. Minor code may provide more information 
    Credentials cache file '/tmp/krb5cc_498' not found 

    debug1: Unspecified GSS failure. Minor code may provide more information 
    Credentials cache file '/tmp/krb5cc_498' not found 

    debug1: Unspecified GSS failure. Minor code may provide more information 


    debug1: Unspecified GSS failure. Minor code may provide more information 
    Credentials cache file '/tmp/krb5cc_498' not found 

    debug2: we did not send a packet, disable method 
    debug3: authmethod_lookup publickey 
    debug3: remaining preferred: keyboard-interactive,password 
    debug3: authmethod_is_enabled publickey 
    debug1: Next authentication method: publickey 
    debug1: Offering public key: /var/lib/barman/.ssh/id_rsa 
    debug3: send_pubkey_test 
    debug2: we sent a publickey packet, wait for reply 
    debug3: Wrote 368 bytes for a total of 1645 
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password 
    debug2: we did not send a packet, disable method 
    debug3: authmethod_lookup password 
    debug3: remaining preferred: ,password 
    debug3: authmethod_is_enabled password 
    debug1: Next authentication method: password 
    barman@localhost's password: 

Answer 1

Le fichier authorized_keys qui se trouve dans le répertoire personnel de l'utilisateur a le mauvais contexte. Dans cet exemple, le contexte du fichier est "unconfined_u: object_r: httpd_sys_content_t: s0". Le contexte dans lequel sshd s'exécute n'a pas accès à ce contexte, SELinux refuse l'accès au fichier. Sans accès au fichier, l'authentification par clé échoue. exécutez la commande suivante pour le réinitialiser:

chcon -R unconfined_u:object_r:user_home_t:s0 /path/to/users/homedirectory/.ssh/