Bug#642012: x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support

To: 642012@bugs.debian.org
Subject: Bug#642012: x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support
From: Luca Capello <luca@pca.it>
Date: Sun, 18 Sep 2011 21:51:21 +0200
Message-id: <8762kpk4sm.fsf@gismo.pca.it>
Reply-to: Luca Capello <luca@pca.it>, 642012@bugs.debian.org
References: <87bouhc36u.fsf@gismo.pca.it> <20110918150537.GS3052@radis.liafa.jussieu.fr>

Hi there!

On Sun, 18 Sep 2011 17:05:37 +0200, Julien Cristau wrote:
> On Sun, Sep 18, 2011 at 16:53:13 +0200, Luca Capello wrote:
>
>> --8<---------------cut here---------------start------------->8---
[patch]
>> --8<---------------cut here---------------end--------------->8---
>> 
> NAK, as far as I'm concerned this script has no business looking around
> in gpg.conf.

This leaves the bug opened: I would be glad to explore other solutions,
but AFAIK without checking gpg.conf and gpg-agent.conf there is no way
to know *beforehand* 1) if gpg-agent will run and 2) if the latter will
provide SSH support.

Please note that until now ssh-agent is *never* started if gpg-agent has
been started at least once with SSH support, for the following reasons
(and this is another bug, no matter what):

1) 90gpg-agent is sourced before 90x11-common_ssh-agent
2) gpg-agent does not remove its "PID" file when exiting, see #642021
3) 90gpg-agent sources the "PID" file above, which means that
   SSH_AUTH_SOCK is defined *before* any gpg-agent is started at all
4) 90x11-common_ssh-agent starts ssh-agent only if SSH_AUTH_SOCK is
   empty, which is not the case as per point 3

Here is the patch to test the behavior above:

--8<---------------cut here---------------start------------->8---
--- 90x11-common_ssh-agent.ORG
+++ 90x11-common_ssh-agent
@@ -14,6 +14,11 @@
       # use ssh-agent2's ssh-agent1 compatibility mode
       SSHAGENTARGS=-1
     fi
+  else
+    cat <<EOF >>"$HOME"/.xsession-errors
+/etc/X11/Xsession.d/90x11-common_ssh-agent: SSH_AUTH_SOCK='$SSH_AUTH_SOCK'
+/etc/X11/Xsession.d/90x11-common_ssh-agent: not starting ssh-agent
+EOF
   fi
 fi

--8<---------------cut here---------------end--------------->8---

IMHO the real bug is to try to start ssh-agent in a system-wide fashion
via /etc/X11/Xsession.options, while this is (clearly) a user option.
This is also why I fear the new Xsession "use-gpg-agent" option at
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412993#20>.  The fact
that ssh_config does not have any way to define that we want the agent
is probably the original cause of this bug.

Finally, may I ask why this file is not provided by openssh-client?  I
could not find any reference in the x11-common changelog.Debian nor
x11-common Recommends:/Suggests:/Enhances: openssh-client.

Thx, bye,
Gismo / Luca

Attachment: pgpsJEhzEOJBQ.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#642012: x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support
  - From: Julien Cristau <julien@cristau.org>

References:
- Bug#642012: x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support
  - From: Luca Capello <luca@pca.it>
- Bug#642012: x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Bug#624720: xserver-xorg-video-intel: crashes with unicode-screensaver and leaves the screen blank (without login prompt)
Next by Date: Processed: Fwd: Processed (with 2 errors): your mail
Previous by thread: Bug#642012: x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support
Next by thread: Bug#642012: x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support
Index(es):
- Date
- Thread