I don't speak AppArmor very well, but I think it's just not happy about ssh-keygen reading files outside of ~/.ssh.
For autopkgtest purposes, I guess it's fine if the regress testsuite puts testdata in $HOME instead. ** Tags added: dcr-incoming -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2116288 Title: apparmor ssh-keygen profile causes regressions in openssh testsuite Status in apparmor package in Ubuntu: New Status in openssh package in Ubuntu: Confirmed Bug description: The openssh autopkgtests started failing recently for the current version of openssh. See the history[1], which indicates the last passing test was 2025-07-04, and all tests since 2025-07-08 are failing. The failure[2] is: 109s autopkgtest [23:52:17]: test regress: [----------------------- 110s I: annotate-output 2.25.15 110s I: prefix='%H:%M:%S.%N ' 110s 23:52:17.339507092 I: Started /usr/lib/openssh/regress/run-tests /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user 110s 23:52:17.367398624 O: make: Entering directory '/tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress' 110s 23:52:17.368474509 O: test "x" = "x" || mkdir -p /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/valgrind-out 110s 23:52:17.369514811 E: + /usr/bin/ssh -Q key 110s 23:52:17.370553020 E: + grep -q ^ssh-rsa 110s 23:52:17.369683454 O: set -xe ; if /usr/bin/ssh -Q key | grep -q "^ssh-rsa" ; then \ 110s 23:52:17.373395617 O: ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv | diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv ; \ 110s 23:52:17.374426134 O: tr '\n' '\r' </tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv > /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_cr.prv ; \ 110s 23:52:17.375462820 O: ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_cr.prv | diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv ; \ 110s 23:52:17.376450183 O: awk '{print $0 "\r"}' /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv > /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_crnl.prv ; \ 110s 23:52:17.377436163 O: ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2_crnl.prv | diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv ; \ 110s 23:52:17.378310906 O: fi 110s 23:52:17.380987745 E: + ssh-keygen -if /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv 110s 23:52:17.382943130 E: + diff - /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_openssh.prv 110s 23:52:17.383460517 O: 0a1,15 110s 23:52:17.384437353 O: > -----BEGIN RSA PRIVATE KEY----- 110s 23:52:17.384791545 E: ssh-keygen: /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv: Permission denied 110s 23:52:17.385666749 O: > MIICWgIBAAKBgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko 110s 23:52:17.385822343 E: make: *** [Makefile:161: t1] Error 1 110s 23:52:17.386874993 O: > +dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3 110s 23:52:17.388006231 O: > xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQIDAQAB 110s 23:52:17.389133634 O: > An8nH5VzvHkMbSqJ6eOYDsVwomRvYbH5IEaYl1x6VATITNvAu9kUdQ4NsSpuMc+7 110s 23:52:17.390169559 O: > Jj9gKZvmO1y2YCKc0P/iO+i/eV0L+yQh1Rw18jQZll+12T+LZrKRav03YNvMx0gN 110s 23:52:17.391270201 O: > wqWY48Kt6hv2/N/ebQzKRe79+D0t2cTh92hT7xENFLIBAkEBGnoGKFjAUkJCwO1V 110s 23:52:17.392330273 O: > mzpUqMHpRZVOrqP9hUmPjzNJ5oBPFGe4+h1hoSRFOAzaNuZt8ssbqaLCkzB8bfzj 110s 23:52:17.393367700 O: > qhZqAQJBANZekuUpp8iBLeLSagw5FkcPwPzq6zfExbhvsZXb8Bo/4SflNs4JHXwI 110s 23:52:17.394332829 O: > 7SD9Z8aJLvM4uQ/5M70lblDMQ40i3o0CQQDIJvBYBFL5tlOgakq/O7yi+wt0L5BZ 110s 23:52:17.395304658 O: > 9H79w5rCSAA0IHRoK/qI1urHiHC3f3vbbLk5UStfrqEaND/mm0shyNIBAkBLsYdC 110s 23:52:17.396262556 O: > /ctt5Bc0wUGK4Vl5bBmj9LtrrMJ4FpBpLwj/69BwCuKoK9XKZ0h73p6XHveCEGRg 110s 23:52:17.397222327 O: > PIlFX4MtaoLrwgU9AkBV2k4dgIws+X8YX65EsyyFjnlDqX4x0nSOjQB1msIKfHBr 110s 23:52:17.398164111 O: > dh5XLDBTTCxnKhMJ0Yx/opgOvf09XHBFwaQntR5i 110s 23:52:17.399194548 O: > -----END RSA PRIVATE KEY----- 110s 23:52:17.400163843 O: make: Leaving directory '/tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress' 110s 23:52:17.401643124 I: Finished with exitcode 2 110s Removed '/etc/systemd/system/sysinit.target.wants/haveged.service'. 110s autopkgtest [23:52:18]: test regress: -----------------------] 111s autopkgtest [23:52:19]: test regress: - - - - - - - - - - results - - - - - - - - - - --- Within that output, the suspicious line is: 110s 23:52:17.384791545 E: ssh-keygen: /tmp/autopkgtest.ZScCck/autopkgtest_tmp/user/regress/rsa_ssh2.prv: Permission denied When I inspect manually, I see apparmor denials like: [76837.528975] audit: type=1400 audit(1752008293.137:4008): apparmor="DENIED" operation="open" class="file" namespace="root//lxd- autopkgtest-lxd-fmqpgo_<var-snap-lxd-common-lxd>" profile="ssh-keygen" name="/tmp/autopkgtest.KgCYRO/autopkgtest_tmp/regress/rsa_ssh2.prv" pid=560774 comm="ssh-keygen" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1001000 The recent apparmor upload (4.1.1-0ubuntu3) in questing introduced apparmor.d/ssh-keygen via debian/patches/ubuntu/ssh_keygen_mr_1519.patch. [1] https://autopkgtest.ubuntu.com/packages/openssh/questing/amd64 [2] https://autopkgtest.ubuntu.com/results/autopkgtest-questing/questing/amd64/o/openssh/20250708_000329_951ff@/log.gz To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2116288/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
