Public bug reported: When using ssh-copy-id to copy a public key to a SELinux enabled destination host (like a CentOS 6 default install) the resulting ~/.ssh/authorized_keys file on the SELinux box does not have the right labelling :
# ll -Z .ssh/authorized_keys -rw-------. root root unconfined_u:object_r:admin_home_t:s0 .ssh/authorized_keys While it should be : # ll -Z .ssh/authorized_keys -rw-------. root root unconfined_u:object_r:ssh_home_t:s0 .ssh/authorized_keys Comparing the CentOS version of ssh-copy-id with the one from Ubuntu shows that the CentOS version appends the new key(s) and calls restorecon if the binary is present (test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys). Ubuntu (where ssh-copy-id was called) information : $ lsb_release -rd Description: Ubuntu 11.10 Release: 11.10 $ apt-cache policy openssh-client openssh-client: Installed: 1:5.8p1-7ubuntu1 Candidate: 1:5.8p1-7ubuntu1 Version table: *** 1:5.8p1-7ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages 100 /var/lib/dpkg/status CentOS (destination server) information : # cat /etc/issue CentOS release 6.2 (Final) Kernel \r on an \m # rpm -qf /usr/bin/ssh-copy-id openssh-clients-5.3p1-70.el6_2.2.x86_64 # rpm -qi openssh-clients Name : openssh-clients Relocations: (not relocatable) Version : 5.3p1 Vendor: CentOS Release : 70.el6_2.2 Build Date: Wed 25 Jan 2012 10:56:24 AM EST Install Date: Mon 26 Mar 2012 03:04:35 PM EDT Build Host: c6b18n1.dev.centos.org Group : Applications/Internet Source RPM: openssh-5.3p1-70.el6_2.2.src.rpm Size : 1070245 License: BSD Signature : RSA/SHA1, Mon 30 Jan 2012 02:11:24 PM EST, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem <http://bugs.centos.org> URL : http://www.openssh.com/portable.html Summary : An open source SSH client applications Description : OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package includes the clients necessary to make encrypted connections to SSH servers. ProblemType: Bug DistroRelease: Ubuntu 11.10 Package: openssh-client 1:5.8p1-7ubuntu1 ProcVersionSignature: Ubuntu 3.0.0-17.30-generic 3.0.22 Uname: Linux 3.0.0-17-generic x86_64 ApportVersion: 1.23-0ubuntu4 Architecture: amd64 Date: Mon Mar 26 16:01:43 2012 InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011) RelatedPackageVersions: ssh-askpass N/A libpam-ssh N/A keychain N/A ssh-askpass-gnome 1:5.8p1-7ubuntu1 SSHClientVersion: OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011 SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: openssh (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug oneiric running-unity -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/965663 Title: ssh-copy-id doesn't call restorecon on SELinux enabled destination hosts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/965663/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs