debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #03801
[Bug 2116288] Re: apparmor ssh-keygen profile causes regressions in openssh testsuite
Instead of finding one denial after the other, I'd recommend to switch
the profile to complain mode:
aa-complain /etc/apparmor.d/ssh-keygen
This will allow everything, and log what would be denied. Please attach
the full audit.log so that ideally everything can be fixed at once.
Note to whoever wrote the ssh-keygen profile: the apparmor.d project
also has a profile for ssh-keygen. Please try to get your profile in
sync and submit it to upstream AppArmor.
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2116288
Title:
apparmor ssh-keygen profile causes regressions in openssh testsuite
Status in apparmor package in Ubuntu:
Confirmed
Status in openssh package in Ubuntu:
In Progress
Bug description:
The openssh autopkgtests started failing recently for the current
version of openssh. See the history[1], which indicates the last
passing test was 2025-07-04, and all tests since 2025-07-08 are
failing.
The failure[2] is:
109s autopkgtest [23:52:17]: test regress: [-----------------------
110s I: annotate-output 2.25.15
110s I: prefix='%H:%M:%S.%N '
110s 23:52:17.339507092 I: Started /usr/lib/openssh/regress/run-tests /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user
110s 23:52:17.367398624 O: make: Entering directory '/tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress'
110s 23:52:17.368474509 O: test "x" = "x" || mkdir -p /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/valgrind-out
110s 23:52:17.369514811 E: + /usr/bin/ssh -Q key
110s 23:52:17.370553020 E: + grep -q ^ssh-rsa
110s 23:52:17.369683454 O: set -xe ; if /usr/bin/ssh -Q key | grep -q "^ssh-rsa" ; then \
110s 23:52:17.373395617 O: ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv | diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv ; \
110s 23:52:17.374426134 O: tr '\n' '\r' </tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv > /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_cr.prv ; \
110s 23:52:17.375462820 O: ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_cr.prv | diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv ; \
110s 23:52:17.376450183 O: awk '{print $0 "\r"}' /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv > /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_crnl.prv ; \
110s 23:52:17.377436163 O: ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_crnl.prv | diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv ; \
110s 23:52:17.378310906 O: fi
110s 23:52:17.380987745 E: + ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv
110s 23:52:17.382943130 E: + diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv
110s 23:52:17.383460517 O: 0a1,15
110s 23:52:17.384437353 O: > -----BEGIN RSA PRIVATE KEY-----
110s 23:52:17.384791545 E: ssh-keygen: /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv: Permission denied
110s 23:52:17.385666749 O: > MIICWgIBAAKBgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko
110s 23:52:17.385822343 E: make: *** [Makefile:161: t1] Error 1
110s 23:52:17.386874993 O: > +dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3
110s 23:52:17.388006231 O: > xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQIDAQAB
110s 23:52:17.389133634 O: > An8nH5VzvHkMbSqJ6eOYDsVwomRvYbH5IEaYl1x6VATITNvAu9kUdQ4NsSpuMc+7
110s 23:52:17.390169559 O: > Jj9gKZvmO1y2YCKc0P/iO+i/eV0L+yQh1Rw18jQZll+12T+LZrKRav03YNvMx0gN
110s 23:52:17.391270201 O: > wqWY48Kt6hv2/N/ebQzKRe79+D0t2cTh92hT7xENFLIBAkEBGnoGKFjAUkJCwO1V
110s 23:52:17.392330273 O: > mzpUqMHpRZVOrqP9hUmPjzNJ5oBPFGe4+h1hoSRFOAzaNuZt8ssbqaLCkzB8bfzj
110s 23:52:17.393367700 O: > qhZqAQJBANZekuUpp8iBLeLSagw5FkcPwPzq6zfExbhvsZXb8Bo/4SflNs4JHXwI
110s 23:52:17.394332829 O: > 7SD9Z8aJLvM4uQ/5M70lblDMQ40i3o0CQQDIJvBYBFL5tlOgakq/O7yi+wt0L5BZ
110s 23:52:17.395304658 O: > 9H79w5rCSAA0IHRoK/qI1urHiHC3f3vbbLk5UStfrqEaND/mm0shyNIBAkBLsYdC
110s 23:52:17.396262556 O: > /ctt5Bc0wUGK4Vl5bBmj9LtrrMJ4FpBpLwj/69BwCuKoK9XKZ0h73p6XHveCEGRg
110s 23:52:17.397222327 O: > PIlFX4MtaoLrwgU9AkBV2k4dgIws+X8YX65EsyyFjnlDqX4x0nSOjQB1msIKfHBr
110s 23:52:17.398164111 O: > dh5XLDBTTCxnKhMJ0Yx/opgOvf09XHBFwaQntR5i
110s 23:52:17.399194548 O: > -----END RSA PRIVATE KEY-----
110s 23:52:17.400163843 O: make: Leaving directory '/tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress'
110s 23:52:17.401643124 I: Finished with exitcode 2
110s Removed '/etc/systemd/system/sysinit.target.wants/haveged.service'.
110s autopkgtest [23:52:18]: test regress: -----------------------]
111s autopkgtest [23:52:19]: test regress: - - - - - - - - - - results - - - - - - - - - -
---
Within that output, the suspicious line is:
110s 23:52:17.384791545 E: ssh-keygen:
/tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv:
Permission denied
When I inspect manually, I see apparmor denials like:
[76837.528975] audit: type=1400 audit(1752008293.137:4008):
apparmor="DENIED" operation="open" class="file" namespace="root//lxd-
autopkgtest-lxd-fmqpgo_<var-snap-lxd-common-lxd>" profile="ssh-keygen"
name="/tmp/autopkgtest.KgCYRO/autopkgtest_tmp/regress/rsa_ssh2.prv"
pid=560774 comm="ssh-keygen" requested_mask="r" denied_mask="r"
fsuid=1000000 ouid=1001000
The recent apparmor upload (4.1.1-0ubuntu3) in questing introduced
apparmor.d/ssh-keygen via
debian/patches/ubuntu/ssh_keygen_mr_1519.patch.
[1] https://autopkgtest.ubuntu.com/packages/openssh/questing/amd64
[2] https://autopkgtest.ubuntu.com/results/autopkgtest-questing/questing/amd64/o/openssh/20250708_000329_951ff@/log.gz
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2116288/+subscriptions
References
