[Bug 2132953] [NEW] ssh-keygen apparmor profile causes issue when deleting a key

Tue, 25 Nov 2025 19:20:40 -0800 

Public bug reported:

When in enforcing mode, the profile for ssh-keygen in Resolute causes
problems deleting a key from the known-hosts file. As a result, I get:

$ ssh-keygen -f '/home/lengau/.ssh/known_hosts' -R 'maas' -vvv
debug3: hostkeys_foreach: reading file "/home/lengau/.ssh/known_hosts"
# Host maas found: line 37
link /home/lengau/.ssh/known_hosts to /home/lengau/.ssh/known_hosts.old: 
Permission denied

The specific audit event I get is:

[122017.862103] audit: type=1400 audit(1764126605.588:3919019):
apparmor="DENIED" operation="link" class="file" profile="ssh-keygen"
name="/home/lengau/.ssh/known_hosts.old" pid=770691 comm="ssh-keygen"
requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
target="/home/lengau/.ssh/known_hosts"

Adding this line to the ssh-keygen profile in the common SSH file
locations paragraph fixes it:

owner @{HOME}/.ssh/known_hosts.old rwl,

ProblemType: Bug
DistroRelease: Ubuntu 26.04
Package: apparmor 5.0.0~alpha1-0ubuntu9
ProcVersionSignature: Ubuntu 6.17.0-6.6-generic 6.17.1
Uname: Linux 6.17.0-6-generic x86_64
NonfreeKernelModules: zfs
ApportVersion: 2.33.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: none
CloudName: none
CloudPlatform: none
CloudSubPlatform: config
CurrentDesktop: KDE
Date: Tue Nov 25 21:59:57 2025
InstallationDate: Installed on 2025-01-15 (315 days ago)
InstallationMedia: Kubuntu 25.04 "Plucky Puffin" - Daily amd64 (20250114)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.17.0-6-generic 
root=UUID=f89a59ee-12a6-4fa2-aafd-5e78f7047f3d ro quiet 
rd.luks.uuid=9a53f5b2-3923-4702-85b7-165a60e01a49 splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: Upgraded to resolute on 2025-11-09 (16 days ago)

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug resolute wayland-session

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2132953

Title:
  ssh-keygen apparmor profile causes issue when deleting a key

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2132953/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to