From 2a36fb3121958dd0cc6c9297f9274f4edf4d8902 Mon Sep 17 00:00:00 2001
From: doublez13 <zakraise@eng.utah.edu>
Date: Fri, 12 Sep 2025 10:26:41 -0600
Subject: [PATCH] ssh-keygen: allow execution of ssh-sk-helper

The ssh-sk-helper  profile was added last year but never hooked into the ssh-keygen profile.

This is needed for generating SSH keys that live on a yubikey.
---
 apparmor.d/groups/ssh/ssh-keygen | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen
index 1b6dd5e98..738268b0a 100644
--- a/apparmor.d/groups/ssh/ssh-keygen
+++ b/apparmor.d/groups/ssh/ssh-keygen
@@ -15,6 +15,8 @@ profile ssh-keygen @{exec_path} {
 
   @{exec_path} mr,
 
+  @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper,
+
   /etc/ssh/moduli rw,
   /etc/ssh/ssh_host_*_key* rw,