[Bug 965663] [NEW] ssh-copy-id doesn't call restorecon on SELinux enabled destination hosts

Simon Déziel 965663 at bugs.launchpad.net
Mon Mar 26 20:18:52 UTC 2012 

Public bug reported:

When using ssh-copy-id to copy a public key to a SELinux enabled
destination host (like a CentOS 6 default install) the resulting
~/.ssh/authorized_keys file on the SELinux box does not have the right
labelling :

# ll -Z .ssh/authorized_keys 
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 .ssh/authorized_keys

While it should be :

# ll -Z .ssh/authorized_keys 
-rw-------. root root unconfined_u:object_r:ssh_home_t:s0 .ssh/authorized_keys

Comparing the CentOS version of ssh-copy-id with the one from Ubuntu shows that the CentOS version appends the new key(s) and calls restorecon if the binary is present (test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys).
 


Ubuntu (where ssh-copy-id was called) information :

$ lsb_release -rd
Description:	Ubuntu 11.10
Release:	11.10

$ apt-cache policy openssh-client
openssh-client:
  Installed: 1:5.8p1-7ubuntu1
  Candidate: 1:5.8p1-7ubuntu1
  Version table:
 *** 1:5.8p1-7ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
        100 /var/lib/dpkg/status


CentOS (destination server) information :

# cat /etc/issue
CentOS release 6.2 (Final)
Kernel \r on an \m

# rpm -qf /usr/bin/ssh-copy-id
openssh-clients-5.3p1-70.el6_2.2.x86_64

# rpm -qi openssh-clients
Name        : openssh-clients              Relocations: (not relocatable)
Version     : 5.3p1                             Vendor: CentOS
Release     : 70.el6_2.2                    Build Date: Wed 25 Jan 2012 10:56:24 AM EST
Install Date: Mon 26 Mar 2012 03:04:35 PM EDT      Build Host: c6b18n1.dev.centos.org
Group       : Applications/Internet         Source RPM: openssh-5.3p1-70.el6_2.2.src.rpm
Size        : 1070245                          License: BSD
Signature   : RSA/SHA1, Mon 30 Jan 2012 02:11:24 PM EST, Key ID 0946fca2c105b9de
Packager    : CentOS BuildSystem <http://bugs.centos.org>
URL         : http://www.openssh.com/portable.html
Summary     : An open source SSH client applications
Description :
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: openssh-client 1:5.8p1-7ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-17.30-generic 3.0.22
Uname: Linux 3.0.0-17-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Mon Mar 26 16:01:43 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
RelatedPackageVersions:
 ssh-askpass       N/A
 libpam-ssh        N/A
 keychain          N/A
 ssh-askpass-gnome 1:5.8p1-7ubuntu1
SSHClientVersion: OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug oneiric running-unity

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/965663

Title:
  ssh-copy-id doesn't call restorecon on SELinux enabled destination
  hosts

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/965663/+subscriptions

More information about the Ubuntu-server-bugs mailing list