[Bug 965663] Re: ssh-copy-id doesn't call restorecon on SELinux enabled destination hosts

Colin Watson cjwatson at canonical.com
Tue May 7 10:25:34 UTC 2013 

Thanks for your report.  I fixed this a little while ago in Debian.

openssh (1:6.0p1-3) unstable; urgency=low

  * debconf template translations:
    - Add Indonesian (thanks, Andika Triwidada; closes: #681670).
  * Call restorecon on copied ~/.ssh/authorized_keys if possible, since some
    SELinux policies require this (closes: #658675).
  * Add ncurses-term to openssh-server's Recommends, since it's often needed
    to support unusual terminal emulators on clients (closes: #675362).

 -- Colin Watson <cjwatson at debian.org>  Fri, 24 Aug 2012 06:55:36 +0100

** Bug watch added: Debian Bug tracker #658675
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658675

** Also affects: openssh (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658675
   Importance: Unknown
       Status: Unknown

** Changed in: openssh (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/965663

Title:
  ssh-copy-id doesn't call restorecon on SELinux enabled destination
  hosts

Status in “openssh” package in Ubuntu:
  Fix Released
Status in “openssh” package in Debian:
  Unknown

Bug description:
  When using ssh-copy-id to copy a public key to a SELinux enabled
  destination host (like a CentOS 6 default install) the resulting
  ~/.ssh/authorized_keys file on the SELinux box does not have the right
  labelling :

  # ll -Z .ssh/authorized_keys 
  -rw-------. root root unconfined_u:object_r:admin_home_t:s0 .ssh/authorized_keys

  While it should be :

  # ll -Z .ssh/authorized_keys 
  -rw-------. root root unconfined_u:object_r:ssh_home_t:s0 .ssh/authorized_keys

  Comparing the CentOS version of ssh-copy-id with the one from Ubuntu shows that the CentOS version appends the new key(s) and calls restorecon if the binary is present (test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys).
   

  
  Ubuntu (where ssh-copy-id was called) information :

  $ lsb_release -rd
  Description:	Ubuntu 11.10
  Release:	11.10

  $ apt-cache policy openssh-client
  openssh-client:
    Installed: 1:5.8p1-7ubuntu1
    Candidate: 1:5.8p1-7ubuntu1
    Version table:
   *** 1:5.8p1-7ubuntu1 0
          500 http://archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
          100 /var/lib/dpkg/status

  
  CentOS (destination server) information :

  # cat /etc/issue
  CentOS release 6.2 (Final)
  Kernel \r on an \m

  # rpm -qf /usr/bin/ssh-copy-id
  openssh-clients-5.3p1-70.el6_2.2.x86_64

  # rpm -qi openssh-clients
  Name        : openssh-clients              Relocations: (not relocatable)
  Version     : 5.3p1                             Vendor: CentOS
  Release     : 70.el6_2.2                    Build Date: Wed 25 Jan 2012 10:56:24 AM EST
  Install Date: Mon 26 Mar 2012 03:04:35 PM EDT      Build Host: c6b18n1.dev.centos.org
  Group       : Applications/Internet         Source RPM: openssh-5.3p1-70.el6_2.2.src.rpm
  Size        : 1070245                          License: BSD
  Signature   : RSA/SHA1, Mon 30 Jan 2012 02:11:24 PM EST, Key ID 0946fca2c105b9de
  Packager    : CentOS BuildSystem <http://bugs.centos.org>
  URL         : http://www.openssh.com/portable.html
  Summary     : An open source SSH client applications
  Description :
  OpenSSH is a free version of SSH (Secure SHell), a program for logging
  into and executing commands on a remote machine. This package includes
  the clients necessary to make encrypted connections to SSH servers.

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: openssh-client 1:5.8p1-7ubuntu1
  ProcVersionSignature: Ubuntu 3.0.0-17.30-generic 3.0.22
  Uname: Linux 3.0.0-17-generic x86_64
  ApportVersion: 1.23-0ubuntu4
  Architecture: amd64
  Date: Mon Mar 26 16:01:43 2012
  InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
  RelatedPackageVersions:
   ssh-askpass       N/A
   libpam-ssh        N/A
   keychain          N/A
   ssh-askpass-gnome 1:5.8p1-7ubuntu1
  SSHClientVersion: OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
  SourcePackage: openssh
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/965663/+subscriptions

More information about the foundations-bugs mailing list