ssh-copy-id doesn't call restorecon on SELinux enabled destination hosts
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openssh (Debian) |
Fix Released
|
Unknown
|
|||
| openssh (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Bug Description
When using ssh-copy-id to copy a public key to a SELinux enabled destination host (like a CentOS 6 default install) the resulting ~/.ssh/
# ll -Z .ssh/authorized
-rw-------. root root unconfined_
While it should be :
# ll -Z .ssh/authorized
-rw-------. root root unconfined_
Comparing the CentOS version of ssh-copy-id with the one from Ubuntu shows that the CentOS version appends the new key(s) and calls restorecon if the binary is present (test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized
Ubuntu (where ssh-copy-id was called) information :
$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
$ apt-cache policy openssh-client
openssh-client:
Installed: 1:5.8p1-7ubuntu1
Candidate: 1:5.8p1-7ubuntu1
Version table:
*** 1:5.8p1-7ubuntu1 0
500 http://
100 /var/lib/
CentOS (destination server) information :
# cat /etc/issue
CentOS release 6.2 (Final)
Kernel \r on an \m
# rpm -qf /usr/bin/
openssh-
# rpm -qi openssh-clients
Name : openssh-clients Relocations: (not relocatable)
Version : 5.3p1 Vendor: CentOS
Release : 70.el6_2.2 Build Date: Wed 25 Jan 2012 10:56:24 AM EST
Install Date: Mon 26 Mar 2012 03:04:35 PM EDT Build Host: c6b18n1.
Group : Applications/
Size : 1070245 License: BSD
Signature : RSA/SHA1, Mon 30 Jan 2012 02:11:24 PM EST, Key ID 0946fca2c105b9de
Packager : CentOS BuildSystem <http://
URL : http://
Summary : An open source SSH client applications
Description :
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers.
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: openssh-client 1:5.8p1-7ubuntu1
ProcVersionSign
Uname: Linux 3.0.0-17-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Mon Mar 26 16:01:43 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
RelatedPackageV
ssh-askpass N/A
libpam-ssh N/A
keychain N/A
ssh-askpass-gnome 1:5.8p1-7ubuntu1
SSHClientVersion: OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)
| Simon Déziel (sdeziel) wrote | #1 |
| Changed in openssh (Ubuntu): | |
| importance: | Undecided → Low |
| Colin Watson (cjwatson) wrote | #2 |
| Changed in openssh (Ubuntu): | |
| status: | New → Fix Released |
| Changed in openssh (Debian): | |
| status: | Unknown → Fix Released |
Thanks for your report. I fixed this a little while ago in Debian.
openssh (1:6.0p1-3) unstable; urgency=low
* debconf template translations:
- Add Indonesian (thanks, Andika Triwidada; closes: #681670).
* Call restorecon on copied ~/.ssh/
SELinux policies require this (closes: #658675).
* Add ncurses-term to openssh-server's Recommends, since it's often needed
to support unusual terminal emulators on clients (closes: #675362).
-- Colin Watson <email address hidden> Fri, 24 Aug 2012 06:55:36 +0100