debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #03989
[Bug 2116288] Re: apparmor ssh-keygen profile causes regressions in openssh testsuite
This bug was fixed in the package apparmor - 4.1.1-0ubuntu4
---------------
apparmor (4.1.1-0ubuntu4) questing; urgency=medium
* d/p/ubuntu/ssh_keygen_mr_1519.patch: revert ssh-keygen profile
This is breaking basic ssh-keygen functionality, and started quietly
breaking various autopkgtests that rely on ssh-keygen (LP: #2116288)
* d/control: Build-Depends: net-tools, for test_unconfined
-- Nick Rosbrook <enr0n@xxxxxxxxxx> Thu, 10 Jul 2025 17:17:44 -0400
** Changed in: apparmor (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2116288
Title:
apparmor ssh-keygen profile causes regressions in openssh testsuite
Status in apparmor package in Ubuntu:
Fix Released
Status in openssh package in Ubuntu:
Triaged
Bug description:
The openssh autopkgtests started failing recently for the current
version of openssh. See the history[1], which indicates the last
passing test was 2025-07-04, and all tests since 2025-07-08 are
failing.
The failure[2] is:
109s autopkgtest [23:52:17]: test regress: [-----------------------
110s I: annotate-output 2.25.15
110s I: prefix='%H:%M:%S.%N '
110s 23:52:17.339507092 I: Started /usr/lib/openssh/regress/run-tests /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user
110s 23:52:17.367398624 O: make: Entering directory '/tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress'
110s 23:52:17.368474509 O: test "x" = "x" || mkdir -p /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/valgrind-out
110s 23:52:17.369514811 E: + /usr/bin/ssh -Q key
110s 23:52:17.370553020 E: + grep -q ^ssh-rsa
110s 23:52:17.369683454 O: set -xe ; if /usr/bin/ssh -Q key | grep -q "^ssh-rsa" ; then \
110s 23:52:17.373395617 O: ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv | diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv ; \
110s 23:52:17.374426134 O: tr '\n' '\r' </tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv > /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_cr.prv ; \
110s 23:52:17.375462820 O: ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_cr.prv | diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv ; \
110s 23:52:17.376450183 O: awk '{print $0 "\r"}' /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv > /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_crnl.prv ; \
110s 23:52:17.377436163 O: ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_crnl.prv | diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv ; \
110s 23:52:17.378310906 O: fi
110s 23:52:17.380987745 E: + ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv
110s 23:52:17.382943130 E: + diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv
110s 23:52:17.383460517 O: 0a1,15
110s 23:52:17.384437353 O: > -----BEGIN RSA PRIVATE KEY-----
110s 23:52:17.384791545 E: ssh-keygen: /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv: Permission denied
110s 23:52:17.385666749 O: > MIICWgIBAAKBgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko
110s 23:52:17.385822343 E: make: *** [Makefile:161: t1] Error 1
110s 23:52:17.386874993 O: > +dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3
110s 23:52:17.388006231 O: > xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQIDAQAB
110s 23:52:17.389133634 O: > An8nH5VzvHkMbSqJ6eOYDsVwomRvYbH5IEaYl1x6VATITNvAu9kUdQ4NsSpuMc+7
110s 23:52:17.390169559 O: > Jj9gKZvmO1y2YCKc0P/iO+i/eV0L+yQh1Rw18jQZll+12T+LZrKRav03YNvMx0gN
110s 23:52:17.391270201 O: > wqWY48Kt6hv2/N/ebQzKRe79+D0t2cTh92hT7xENFLIBAkEBGnoGKFjAUkJCwO1V
110s 23:52:17.392330273 O: > mzpUqMHpRZVOrqP9hUmPjzNJ5oBPFGe4+h1hoSRFOAzaNuZt8ssbqaLCkzB8bfzj
110s 23:52:17.393367700 O: > qhZqAQJBANZekuUpp8iBLeLSagw5FkcPwPzq6zfExbhvsZXb8Bo/4SflNs4JHXwI
110s 23:52:17.394332829 O: > 7SD9Z8aJLvM4uQ/5M70lblDMQ40i3o0CQQDIJvBYBFL5tlOgakq/O7yi+wt0L5BZ
110s 23:52:17.395304658 O: > 9H79w5rCSAA0IHRoK/qI1urHiHC3f3vbbLk5UStfrqEaND/mm0shyNIBAkBLsYdC
110s 23:52:17.396262556 O: > /ctt5Bc0wUGK4Vl5bBmj9LtrrMJ4FpBpLwj/69BwCuKoK9XKZ0h73p6XHveCEGRg
110s 23:52:17.397222327 O: > PIlFX4MtaoLrwgU9AkBV2k4dgIws+X8YX65EsyyFjnlDqX4x0nSOjQB1msIKfHBr
110s 23:52:17.398164111 O: > dh5XLDBTTCxnKhMJ0Yx/opgOvf09XHBFwaQntR5i
110s 23:52:17.399194548 O: > -----END RSA PRIVATE KEY-----
110s 23:52:17.400163843 O: make: Leaving directory '/tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress'
110s 23:52:17.401643124 I: Finished with exitcode 2
110s Removed '/etc/systemd/system/sysinit.target.wants/haveged.service'.
110s autopkgtest [23:52:18]: test regress: -----------------------]
111s autopkgtest [23:52:19]: test regress: - - - - - - - - - - results - - - - - - - - - -
---
Within that output, the suspicious line is:
110s 23:52:17.384791545 E: ssh-keygen:
/tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv:
Permission denied
When I inspect manually, I see apparmor denials like:
[76837.528975] audit: type=1400 audit(1752008293.137:4008):
apparmor="DENIED" operation="open" class="file" namespace="root//lxd-
autopkgtest-lxd-fmqpgo_<var-snap-lxd-common-lxd>" profile="ssh-keygen"
name="/tmp/autopkgtest.KgCYRO/autopkgtest_tmp/regress/rsa_ssh2.prv"
pid=560774 comm="ssh-keygen" requested_mask="r" denied_mask="r"
fsuid=1000000 ouid=1001000
The recent apparmor upload (4.1.1-0ubuntu3) in questing introduced
apparmor.d/ssh-keygen via
debian/patches/ubuntu/ssh_keygen_mr_1519.patch.
[1] https://autopkgtest.ubuntu.com/packages/openssh/questing/amd64
[2] https://autopkgtest.ubuntu.com/results/autopkgtest-questing/questing/amd64/o/openssh/20250708_000329_951ff@/log.gz
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2116288/+subscriptions
References
