Dustin C. Hatch
301589af22
For some reason, when OverlayFS is mounted at `/etc/ssh`, SELinux prevents access both `sshd` and `ssh-keygen` access to the files there. The AVC denials indicate that (some part of) the process is running in the `mount_t` domain, which is not allowed to read or write `sshd_key_t` files. To work around this issue, without granting `mount_t` overly-permissive access, we now configure the SSH daemon to read host keys from the persistent data volume directly, instead of "tricking" it with OverlayFS. The `ssh-keygen` tool does not read the `HostKey` options from `sshd_config`, though, so it has to be explicitly instructed to create keys in this alternate location. By using a systemd template unit with `ConditionPathExists`, we avoid regnerating the keys on every boot, since the `ssh-keygen` command is only run if the file does not already exist.
8 lines
138 B
SYSTEMD
8 lines
138 B
SYSTEMD
[Unit]
|
|
Wants=ssh-keygen@rsa.service
|
|
Wants=ssh-keygen@ecdsa.service
|
|
Wants=ssh-keygen@ed25519.service
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|