Bug#1070725: marked as done (ssh-agent: take flock on socket file/dir in /tmp)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 16 May 2024 11:04:01 +0000
with message-id <E1s7Yu1-001DzI-Bv@fasolo.debian.org>
and subject line Bug#1070725: fixed in openssh 1:9.7p1-5
has caused the Debian Bug report #1070725,
regarding ssh-agent: take flock on socket file/dir in /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1070725: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070725
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: ssh-agent: take flock on socket file/dir in /tmp
• From: Luca Boccassi <bluca@debian.org>
• Date: Wed, 08 May 2024 01:06:43 +0100
• Message-id: <[🔎] 89b9beba914aed05fc5950e0bef08fa4cced654c.camel@debian.org>

Package: openssh-client
Severity: important

Hi,

The default tmpfiles.d/tmp.conf will soon start cleaning up /tmp/ once
a day, automatically deleting files older than 10 days
(ctime/mtime/atime are all taken into account).

In order to avoid the ssh auth socket in /tmp being deleted while
in use (e.g.: long term session), please patch ssh-agent to take a
flock(2) on the /tmp/ssh-xxx directory while it's running, as per
documentation:

https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html#Age

Aside from this, it would be better to switch the location to
XDG_RUNTIME_DIR (/run/user/UID), as that's more appropriate for per-
user-session ephemeral state. The ssh agent provided by gnupg already
switched some time ago:

SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh

-- 
Kind regards,
Luca Boccassi

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

• To: 1070725-close@bugs.debian.org
• Subject: Bug#1070725: fixed in openssh 1:9.7p1-5
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Thu, 16 May 2024 11:04:01 +0000
• Message-id: <E1s7Yu1-001DzI-Bv@fasolo.debian.org>
• Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:9.7p1-5
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1070725@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 16 May 2024 11:16:30 +0100
Source: openssh
Architecture: source
Version: 1:9.7p1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1069706 1070725
Changes:
 openssh (1:9.7p1-5) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Add "After=nss-user-lookup.target" to ssh.service and sshd@.service
     (closes: #1069706).
   * Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is
     set.
 .
   [ Andreas Hasenack ]
   * Add autopkgtests for GSSAPI logins, including gssapi-keyex.
 .
   [ Luca Boccassi ]
   * Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/
     (closes: #1070725).
   * Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De
     Meyer).
Checksums-Sha1:
 be24ffe4f8a0d8d689f1f8fc2ea336f0b2db14ee 3313 openssh_9.7p1-5.dsc
 7e34d48c8d3c3832d83d8df68db26f86d3b61303 193864 openssh_9.7p1-5.debian.tar.xz
Checksums-Sha256:
 87dce7f64803d2586880b8099b4a4fea47482229fe2aae7293784ed92cf35cc2 3313 openssh_9.7p1-5.dsc
 7b5b464c12ae0a54cd77c211d7accf06d3059186fc3a1e116af82c91becc511e 193864 openssh_9.7p1-5.debian.tar.xz
Files:
 057106f0a6a447ac6fd04556ad6e93ec 3313 net standard openssh_9.7p1-5.dsc
 d4a2766632fe52649823872860802154 193864 net standard openssh_9.7p1-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmZF3TQACgkQOTWH2X2G
UAuAghAAokaNB45ZFICeVAxNUskF1tnvqf8/TyyZrvNNjmQ7Q1d2yY+IIQtemPsH
Nz7Jq/wJDWLL7KPIprJk+rWVSo2NhWwTMTwt6r6vSat57b4gul/XhqXoZOAbG3b5
R4F/EN/SvVuZBLeIHFZSpBnPB8TTxVY9kPV//IEykVxlBLDpac/jjyEuV+amw4/7
aCVewb54yFC0m6M4gQFJZ+Qq8BwzPE4zrawlq2bE/UIl2pZ8snXf7ai/uFh4DKG5
BkYCfaI9vciPGJN8LuVQkaGpxJdMNKq4NKgDpI+V05bbO4vGXz7TNrbgA8aP9gxK
NISuutjpUjBaakpAhX3cLz1PJxOUUb/vb8f3k8FKftfBGIXqryMQ9Sf7h1CyPN7Y
OeOoM5+c6UD3kploDRsJaDnUinaeRulkSJQr9o79bRL28ddUk7VbMnGkzijutKUO
Todc2SW00p2k0n/wuXg023kOeKEHKWM2RdBAO7YrsiiIXBVhnWFSpt6i/+z/Y9q2
gUQP/kg+3ef/3zo+vPZB8blEORyn5S/88kqcmHx46plx27+lWXlyO4HwGIlwsAxI
zOG+tu68r+7CJ06Q/W3hEL8xy7D3cJ6zZx9LmpUGw61Y89NVzUHL3sun9Ynr7LoF
HOMFKydLDxK5vbgD7Eku/WnLeAmHtz2SewDGZmTAM1CNyUB3bSU=
=siDZ
-----END PGP SIGNATURE-----

Attachment: pgpzKV1LTPAWd.pgp
Description: PGP signature

--- End Message ---