From 4274f89f0029246a980ae70cd89dd1cc75f5aac3 Mon Sep 17 00:00:00 2001
From: w4tsn <a.wellbrock@mailbox.org>
Date: Feb 17 2023 19:14:38 +0000
Subject: pages/yubikey: remove note on setting secontext


The access to the ~/.yubico directory is done using the PAM module, not
sshd directly. PAM sets the context of that directory to auth_home_t
which PAM is allowed to access. No need to set the context to
ssh_home_t.

Apart from that using chcon is a volatile operation and not intended for
persistent changes which was the intent of the note though. The label
would be reset in a system recovery scenario.

---

diff --git a/modules/ROOT/pages/using-yubikeys.adoc b/modules/ROOT/pages/using-yubikeys.adoc
index 28794e4..4c7c36e 100644
--- a/modules/ROOT/pages/using-yubikeys.adoc
+++ b/modules/ROOT/pages/using-yubikeys.adoc
@@ -82,11 +82,6 @@ If you have SELinux on the enforcing mode (the default mode), you should flip on
 
 [source, bash]
 […]$ sudo setsebool -P allow_ypbind=1
-
-Also, in order to allow sshd to access /root/.yubico/authorized_yubikeys, you should change its context:
-
-[source, bash]
-[…]$ chcon -R system_u:object_r:ssh_home_t:s0 /root/.yubico
 ====
 
 For challenge-response use the following: