Fixing open id_rsa failed: Permission denied. in RHEL6 // Brad Erickson

Super quick answer: sudo yum remove selinux*

Running Red Hat Enterprise Linux Server release 6.x? Cannot generate SSH public/private keys with ssh-keygen? Me too!

user@ server:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Could not create directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
open /home/user/.ssh/id_rsa failed: Permission denied.
Saving the key failed: /home/user/.ssh/id_rsa.

I searched the intertubes, and all thread responses say to check the file permissions or my $HOME environment variable. They were fine. The only odd result in the list was: http://rhn.redhat.com/errata/RHBA-2010-0013.html which includes a paragraph:

SELinux denials caused by the ssh-keygen’s “system_u:object_r:initrc_exec_t” context caused ssh-keygen to fail to generate public/private RSA key pairs. These updated SELinux policy rules allow ssh-keygen to successfully generate public/private RSA key pairs as expected. (BZ#538453)

The problem should have been repaired in the previous version of Red Hat according to the advisory. There was no reason SELinux should be installed on the system, but considering all the other extraneous software I’d already removed, I figured it was.

user@ server:~$ sudo yum remove selinux*
Loaded plugins: product-id, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.7.19-126.el6_2.4 will be erased
---> Package selinux-policy-targeted.noarch 0:3.7.19-126.el6_2.4 will be erased
--> Finished Dependency Resolution

Yes, it was. Once I removed SELinux, ssh-keygen ran successfully. So frustrating…

user@ server:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.

Note: This was causing a fprint failed error in gitolite’s gl-setup also.

Comments

(Statically copied from previous site)

Anonymous replied on April 25, 2012 - 10:26am PERMALINK

To fix this without disabling selinux: chcon -t ssh_home_t .ssh

Daniel Laxar replied on May 1, 2012 - 8:29am PERMALINK

Thanks man! U saved me hours of searching. Googling ‘gl-setup fprint failed’ brought me here. Thanks!

Anonymous replied on November 17, 2014 - 1:11pm PERMALINK

Remove selinux doesnt help !!

brad replied on November 19, 2014 - 1:08pm PERMALINK

Sorry to hear that. I don’t have RHEL6 server available right not to see if anything has been changed.

Sunil Kumar Sharma replied on September 12, 2017 - 12:21am PERMALINK

I have got the same problem of permission denied, I just gave the write permission to .ssh directory and it works.i3iA