Bug 746290
Summary: | ssh-keygen should default to ~/.ssh not to the current directory | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | |
Component: | openssh | Assignee: | Petr Lautrbach <plautrba> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
Severity: | low | Docs Contact: | ||
Priority: | unspecified | |||
Version: | rawhide | CC: | dwalsh, mattias.ellert, mcepl, mgrepl, rvokal, tmraz | |
Target Milestone: | --- | Keywords: | FutureFeature, Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Enhancement | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 746961 (view as bug list) | Environment: | ||
Last Closed: | 2012-11-05 13:08:06 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 746961 |
Description
Matěj Cepl
2011-10-14 16:44:47 UTC
We could fix the SELinux but this could be a problem from a security point of view, since the ~/.ssh directory tends to be a protected directory. I think if the user specifies a file without a path it should default to ~/.ssh I think SELinux should allow ssh-keygen writing anywhere. Basically ssh-keygen is a simple admin/user called local tool, not connecting anywhere, and it should be unconfined. As for it defaulting to .ssh directory - this should be changed upstream first. We might want to think about removing a transition to ssh-keygen at all since we have file name transition now so .ssh dir will create with the correct label. Matej, chcon -t bin_t `which ssh-keygen` should work. Yes, Miroslav, I agree. Yes in Rawhide we want to remove transition from user roles. Removed transition in selinux-policy-3.10.0-41.fc16 This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. $ id -Z staff_u:staff_r:staff_t:s0 $ mkdir tmp $ cd tmp/ $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/staff/.ssh/id_rsa): id_fedora_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_fedora_rsa. Your public key has been saved in id_fedora_rsa.pub. The key fingerprint is: 4e:ba:ef:fd:de:60:07:ad:b6:2b:6c:22:c3:d2:9f:df staff@f16-openssh The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | . | | S . . | | + o | | o. .. = . | | . =..o++ = | | ..*=+o+E.. | +-----------------+ $ ls -lZ -rw-------. staff staff staff_u:object_r:user_home_t:s0 id_fedora_rsa -rw-r--r--. staff staff staff_u:object_r:user_home_t:s0 id_fedora_rsa.pub $ ssh-copy-id -i id_fedora_rsa localhost staff@localhost's password: Now try logging into the machine, with "ssh 'localhost'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. $ ssh -i id_fedora_rsa localhost staff@localhost's password: $ exit $ chcon -t ssh_home_t id_fedora_rsa $ ssh -i id_fedora_rsa localhost Last login: Mon Nov 5 14:02:13 2012 from localhost $ rpm -q openssh selinux-policy openssh-5.8p2-25.fc16.x86_64 selinux-policy-3.10.0-91.fc16.noarch |