ssh-copy-id doesn't call restorecon on SELinux enabled destination hosts

Bug #965663 reported by Simon Déziel
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Debian)
Fix Released
openssh (Ubuntu)
Fix Released

Bug Description

When using ssh-copy-id to copy a public key to a SELinux enabled destination host (like a CentOS 6 default install) the resulting ~/.ssh/authorized_keys file on the SELinux box does not have the right labelling :

# ll -Z .ssh/authorized_keys
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 .ssh/authorized_keys

While it should be :

# ll -Z .ssh/authorized_keys
-rw-------. root root unconfined_u:object_r:ssh_home_t:s0 .ssh/authorized_keys

Comparing the CentOS version of ssh-copy-id with the one from Ubuntu shows that the CentOS version appends the new key(s) and calls restorecon if the binary is present (test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys).

Ubuntu (where ssh-copy-id was called) information :

$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

$ apt-cache policy openssh-client
  Installed: 1:5.8p1-7ubuntu1
  Candidate: 1:5.8p1-7ubuntu1
  Version table:
 *** 1:5.8p1-7ubuntu1 0
        500 oneiric/main amd64 Packages
        100 /var/lib/dpkg/status

CentOS (destination server) information :

# cat /etc/issue
CentOS release 6.2 (Final)
Kernel \r on an \m

# rpm -qf /usr/bin/ssh-copy-id

# rpm -qi openssh-clients
Name : openssh-clients Relocations: (not relocatable)
Version : 5.3p1 Vendor: CentOS
Release : 70.el6_2.2 Build Date: Wed 25 Jan 2012 10:56:24 AM EST
Install Date: Mon 26 Mar 2012 03:04:35 PM EDT Build Host:
Group : Applications/Internet Source RPM: openssh-5.3p1-70.el6_2.2.src.rpm
Size : 1070245 License: BSD
Signature : RSA/SHA1, Mon 30 Jan 2012 02:11:24 PM EST, Key ID 0946fca2c105b9de
Packager : CentOS BuildSystem <>
Summary : An open source SSH client applications
Description :
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: openssh-client 1:5.8p1-7ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-17.30-generic 3.0.22
Uname: Linux 3.0.0-17-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Mon Mar 26 16:01:43 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
 ssh-askpass N/A
 libpam-ssh N/A
 keychain N/A
 ssh-askpass-gnome 1:5.8p1-7ubuntu1
SSHClientVersion: OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Simon Déziel (sdeziel) wrote :
James Page (james-page)
Changed in openssh (Ubuntu):
importance: Undecided → Low
Revision history for this message
Colin Watson (cjwatson) wrote :

Thanks for your report. I fixed this a little while ago in Debian.

openssh (1:6.0p1-3) unstable; urgency=low

  * debconf template translations:
    - Add Indonesian (thanks, Andika Triwidada; closes: #681670).
  * Call restorecon on copied ~/.ssh/authorized_keys if possible, since some
    SELinux policies require this (closes: #658675).
  * Add ncurses-term to openssh-server's Recommends, since it's often needed
    to support unusual terminal emulators on clients (closes: #675362).

 -- Colin Watson <email address hidden> Fri, 24 Aug 2012 06:55:36 +0100

Changed in openssh (Ubuntu):
status: New → Fix Released
Changed in openssh (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.