Bug 746290
| Summary: | ssh-keygen should default to ~/.ssh not to the current directory | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | |
| Component: | openssh | Assignee: | Petr Lautrbach <plautrba> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
| Severity: | low | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | rawhide | CC: | dwalsh, mattias.ellert, mcepl, mgrepl, rvokal, tmraz | |
| Target Milestone: | --- | Keywords: | FutureFeature, Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Enhancement | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 746961 (view as bug list) | Environment: | ||
| Last Closed: | 2012-11-05 13:08:06 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 746961 | |||
|
Description
Matěj Cepl
2011-10-14 16:44:47 UTC
We could fix the SELinux but this could be a problem from a security point of view, since the ~/.ssh directory tends to be a protected directory. I think if the user specifies a file without a path it should default to ~/.ssh I think SELinux should allow ssh-keygen writing anywhere. Basically ssh-keygen is a simple admin/user called local tool, not connecting anywhere, and it should be unconfined. As for it defaulting to .ssh directory - this should be changed upstream first. We might want to think about removing a transition to ssh-keygen at all since we have file name transition now so .ssh dir will create with the correct label. Matej, chcon -t bin_t `which ssh-keygen` should work. Yes, Miroslav, I agree. Yes in Rawhide we want to remove transition from user roles. Removed transition in selinux-policy-3.10.0-41.fc16 This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. $ id -Z staff_u:staff_r:staff_t:s0 $ mkdir tmp $ cd tmp/ $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/staff/.ssh/id_rsa): id_fedora_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_fedora_rsa. Your public key has been saved in id_fedora_rsa.pub. The key fingerprint is: 4e:ba:ef:fd:de:60:07:ad:b6:2b:6c:22:c3:d2:9f:df staff@f16-openssh The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | . | | S . . | | + o | | o. .. = . | | . =..o++ = | | ..*=+o+E.. | +-----------------+ $ ls -lZ -rw-------. staff staff staff_u:object_r:user_home_t:s0 id_fedora_rsa -rw-r--r--. staff staff staff_u:object_r:user_home_t:s0 id_fedora_rsa.pub $ ssh-copy-id -i id_fedora_rsa localhost staff@localhost's password: Now try logging into the machine, with "ssh 'localhost'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. $ ssh -i id_fedora_rsa localhost staff@localhost's password: $ exit $ chcon -t ssh_home_t id_fedora_rsa $ ssh -i id_fedora_rsa localhost Last login: Mon Nov 5 14:02:13 2012 from localhost $ rpm -q openssh selinux-policy openssh-5.8p2-25.fc16.x86_64 selinux-policy-3.10.0-91.fc16.noarch |