Dustin
301589af22
For some reason, when OverlayFS is mounted at `/etc/ssh`, SELinux prevents access both `sshd` and `ssh-keygen` access to the files there. The AVC denials indicate that (some part of) the process is running in the `mount_t` domain, which is not allowed to read or write `sshd_key_t` files. To work around this issue, without granting `mount_t` overly-permissive access, we now configure the SSH daemon to read host keys from the persistent data volume directly, instead of "tricking" it with OverlayFS. The `ssh-keygen` tool does not read the `HostKey` options from `sshd_config`, though, so it has to be explicitly instructed to create keys in this alternate location. By using a systemd template unit with `ConditionPathExists`, we avoid regnerating the keys on every boot, since the `ssh-keygen` command is only run if the file does not already exist. |
||
|---|---|---|
| .. | ||
| bin | ||
| lib | ||
| libexec | ||