I am trying to run an SSH command in a systemd service. Although I the user I set to run the command fedora has permission to everything the command requires (verified by both running the command manually in a logged-in shell without failure and permission checks on the files), it still gives the error of permission denied.
[Unit]
Description=AutoSSH tunnel
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/ssh -f -TN -L 3333:localhost:3333 -o "ExitOnForwardFailure yes" -o "ServerAliveInterval 60" -i /home/fedora/.ssh/id_rsa ubuntu@server
ExecStop=/usr/bin/pkill -f 3333:localhost:3333
Restart=always
RestartSec=10
User=fedora
Group=fedora
[Install]
WantedBy=multi-user.target
error message:
Oct 16 11:10:47 Lenovoserver systemd[2318595]: autossh-tunnel.service: Failed to execute command: Permission denied
Oct 16 11:10:47 Lenovoserver systemd[2318595]: autossh-tunnel.service: Failed at step EXEC spawning /usr/bin/ssh: Permission denied
Permission checks:
-rwxr-xr-x. 1 root root 808832 Oct 9 2019 /usr/bin/ssh
fedora user has permission to execute /usr/bin/ssh
-rw-------. 1 fedora fedora 2610 Jan 3 2020 /home/fedora/.ssh/id_rsa
fedora user has read access to its private key.
Did I do anything wrong or is this a systemd bug?
It could be SELinux, the new ssh port has to be registered in selinux.
Firs check if the service work by disabling selinux temporarily, if it works add ssh port to selinux as follow.
# Check selinux status
sestatus
# Disable selinux temporarily
setenforce 0
# Check selinux ssh port
semanage port -l | grep ssh
ssh_port_t tcp 22
# Add selinux ssh port
sudo semanage port -a -t ssh_port_t -p tcp 3333
# Check selinux ssh port
semanage port -l | grep ssh
ssh_port_t tcp 22, 3333