Well, I tried that, and hit more denials. Now, I see this failure:
ubuntu@autopkgtest-lxd-gwqngf:/tmp/autopkgtest.Wtxjyv/build.Qxe/src$ ssh-keygen
-q -N '' -t [email protected]
start_helper: execlp: Permission denied
ssh_msg_recv: read header: Connection reset by peer
client_converse: receive: unexpected internal error
reap_helper: helper exited with non-zero exit status
Key enrollment failed: unexpected internal error
With the corresponding denial:
[Thu Jul 10 10:41:27 2025] audit: type=1400 audit(1752158494.542:8144):
apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-
autopkgtest-lxd-gwqngf_<var-snap-lxd-common-lxd>" profile="ssh-keygen"
name="/usr/lib/openssh/ssh-sk-helper" pid=720197 comm="ssh-keygen"
requested_mask="x" denied_mask="x" fsuid=1001000 ouid=1000000
After the profile is adjusted for that, there are more denials when the
helper binary wants to read /sys/{bus,class}/.
So, the AppArmor profile does need adjustment to allow ssh-keygen to
execute the helper binaries.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2116288
Title:
apparmor ssh-keygen profile causes regressions in openssh testsuite
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2116288/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
