Bug#1103037: marked as done (openssh-client: ssh-agent: Improve systemd user service socket activation)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#1103037: marked as done (openssh-client: ssh-agent: Improve systemd user service socket activation)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 15 Apr 2025 13:39:04 +0000
Message-id: <[🔎] handler.1103037.D1103037.17447240782668580.ackdone@bugs.debian.org>
Reply-to: 1103037@bugs.debian.org
References: <E1u4gQs-008Gac-T5@fasolo.debian.org> <[🔎] 87bjsze6qe.fsf@fifthhorseman.net>

Your message dated Tue, 15 Apr 2025 13:34:34 +0000
with message-id <E1u4gQs-008Gac-T5@fasolo.debian.org>
and subject line Bug#1103037: fixed in openssh 1:10.0p1-2
has caused the Debian Bug report #1103037,
regarding openssh-client: ssh-agent: Improve systemd user service socket activation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1103037: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103037
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh-client: ssh-agent: Improve systemd user service socket activation
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 13 Apr 2025 23:56:25 -0400
Message-id: <[🔎] 87bjsze6qe.fsf@fifthhorseman.net>

Package: openssh-client
Version: 1:10.0p1-1
Severity: normal
Tags: patch

Since OpenSSH 10.0, ssh-agent now has nice, simple support for
systemd-style user service socket activation.

The attached patch updates debian's ssh user services to make the agent
socket-activated with basically no overhead.  For a systemd session that
doesn't use the agent at all, no agent will be launched.

With this change, it seems like it might also be possible to
drop/discard /usr/lib/openssh/agent-launch as well.

This is related to #1039919 -- if you prefer to merge it in with that,
that's fine.  Or, you could close #1039919 as resolved with 10.0p1 (the
moral equivalent of the upstream patch has been merged), and leave this
one open as it just adjusts the way that the agent is integrated into
the user session.

Thanks for maintaining OpenSSH in debian!

    --dkg

-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.21-amd64 (SMP w/20 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser              3.150
ii  init-system-helpers  1.68
ii  libc6                2.41-6
ii  libedit2             3.1-20250104-1
ii  libfido2-1           1.15.0-1+b1
ii  libgssapi-krb5-2     1.21.3-5
ii  libselinux1          3.8.1-1
ii  libssl3t64           3.5.0-1
ii  passwd               1:4.17.4-1
ii  zlib1g               1:1.3.dfsg+really1.3.1-1+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.1.2-1.1

Versions of packages openssh-client suggests:
pn  keychain                         <none>
pn  libpam-ssh                       <none>
pn  monkeysphere                     <none>
ii  ssh-askpass-gnome [ssh-askpass]  1:9.9p2-2

-- no debconf information

diff --git a/debian/openssh-client.install b/debian/openssh-client.install
index 96c8deae7..2a33dc93b 100755
--- a/debian/openssh-client.install
+++ b/debian/openssh-client.install
@@ -34,3 +34,4 @@ debian/openssh-client.apport => usr/share/apport/package-hooks/openssh-client.py
 
 # systemd user unit (only used under sessions)
 debian/systemd/ssh-agent.service usr/lib/systemd/user
+debian/systemd/ssh-agent.socket usr/lib/systemd/user
diff --git a/debian/systemd/ssh-agent.service b/debian/systemd/ssh-agent.service
index 68273bd75..72e0a3e46 100644
--- a/debian/systemd/ssh-agent.service
+++ b/debian/systemd/ssh-agent.service
@@ -1,17 +1,13 @@
 [Unit]
 Description=OpenSSH Agent
 Documentation=man:ssh-agent(1)
-Before=graphical-session-pre.target
-ConditionPathExists=/etc/X11/Xsession.options
-Wants=dbus.socket
-After=dbus.socket
 
 [Service]
+Environment=SSH_ASKPASS_REQUIRE=force
 # If you need to pass extra arguments to ssh-agent, you can use "systemctl
 # --user edit ssh-agent.service" to add a drop-in unit with contents along
 # these lines:
 #   [Service]
 #   ExecStart=
-#   ExecStart=/usr/lib/openssh/agent-launch start -- -t 1200
-ExecStart=/usr/lib/openssh/agent-launch start
-ExecStopPost=/usr/lib/openssh/agent-launch stop
+#   ExecStart=/usr/bin/ssh-agent -D -t 1200
+ExecStart=/usr/bin/ssh-agent -D
diff --git a/debian/systemd/ssh-agent.socket b/debian/systemd/ssh-agent.socket
new file mode 100644
index 000000000..9980c36f0
--- /dev/null
+++ b/debian/systemd/ssh-agent.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=OpenSSH Agent socket
+Documentation=man:ssh-agent(1)
+Before=graphical-session-pre.target
+
+[Socket]
+SocketMode=0600
+ListenStream=%t/openssh_agent
+ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/openssh_agent
+ExecStopPre=/usr/bin/systemctl --user unset-environment SSH_AUTH_SOCK
+
+[Install]
+WantedBy=sockets.target

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 1103037-close@bugs.debian.org
Subject: Bug#1103037: fixed in openssh 1:10.0p1-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 15 Apr 2025 13:34:34 +0000
Message-id: <E1u4gQs-008Gac-T5@fasolo.debian.org>
Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:10.0p1-2
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1103037@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 15 Apr 2025 14:19:35 +0100
Source: openssh
Architecture: source
Version: 1:10.0p1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 961311 1039919 1072184 1095686 1103037
Changes:
 openssh (1:10.0p1-2) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Disable --with-linux-memlock-onfault on riscv64.
   * Build with wtmpdb (see #1102643).
   * Stop writing /var/log/btmp, since nothing reads it any more (closes:
     #1072184).
   * Restore some rdomain references in sshd_config(5) where they're
     supported on Linux, referring to ip-vrf(8) (closes: #1095686).
 .
   [ Daniel Kahn Gillmor ]
   * Improve systemd user service socket activation (closes: #961311,
     #1039919, #1103037).
 .
   [ Luca Boccassi ]
   * Switch from adduser to sysusers.d.
   * Add sshd-keygen service.
Checksums-Sha1:
 f48045f3e303d1afc0cbe6ec5ebcaf6fb5c0dfbe 3500 openssh_10.0p1-2.dsc
 120a3fe008e5446deb087d17f448d7a040462fcf 198240 openssh_10.0p1-2.debian.tar.xz
Checksums-Sha256:
 e67c945e39cefe5d38f1dbd6d122ca2b17193e65788bf48c4d36f7c5b5f1c57c 3500 openssh_10.0p1-2.dsc
 9d08fe1de56fe63dbf1c17a4ecc79f3584b9f0d9690f4d709b0d3e3a812ef210 198240 openssh_10.0p1-2.debian.tar.xz
Files:
 3a158dd3d2cb1789012ad7371ae010b7 3500 net standard openssh_10.0p1-2.dsc
 b489588918c744d5ceb5e238a7825f85 198240 net standard openssh_10.0p1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmf+XRsACgkQOTWH2X2G
UAs3XRAAh+32VBJwqC7rRdaE1RB+vbG13H7AVSbvlgOpfX1D28bMzwyEpOZ/+hOf
N14Y3Ud720t3XU24caXxujeDp9ro8qd6v4AVAlARXQ7071SmZPcI3k2skW4beSwU
ZTa6kbsR8yU+IUrmEAKgkQxQG0REy95Th0UF7iTeA0RUV/brzKqeusyxD7Kuk2/C
FgHlcr6B1PZSEj1UZlpi5T+qAfEgZYfrkBZ4XYx8PwI6MC23cjYL+TpitNu1DZsD
0PP6Z+OIbX9d2UE1f9qbvp5ZXWP87L1haYneiM+wZzEjRf7iH09Cz22MTDGu5WFb
F0JcrCubjvfVcVPNA7Iw8EDePOIHyc944FLxcuCZe3EzEG3X8aZWoPzk7ryq08a6
dT8vvgHWD4E+yLEowHD/xzE4MvRdO5YEZp5qD9K3fH6F+CiviQSvG4Ear8o9941x
tVGTaScogN7GgeO6ECwB1OpheQSxx7y0aPqSyYDOc1uEGOuMR1M5qG4gHqrJbU+h
XKl3+G1gfXVdSDF1COpgg4YVVEMYSOGtA97TD4TXGRbJkASStOkulm+84HFmZPf2
TA4jERPjczjpaqawF9I/N1eZkwOS8gVsqEvN7dhn9jTiulmR7sCox6mflvRcWeJg
Uh5kcsOkG5vIzsonJEDfElxQDVT7QRqqmGRRpwhPcveAFgtT7c8=
=HCF+
-----END PGP SIGNATURE-----

Attachment: pgp_neyIlJ7LU.pgp
Description: PGP signature

--- End Message ---

Reply to:

References:
- Bug#1103037: openssh-client: ssh-agent: Improve systemd user service socket activation
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Bug#1068416: marked as done (ssh-agent: improve systemd user session integration)
Next by Date: Bug#1102603: openssh: CVE-2025-32728
Previous by thread: Processed: Bug#1103037 marked as pending in openssh
Next by thread: Bug#1076123: marked as done (new upstream 9.8 for experimental, please?)
Index(es):
- Date
- Thread