Bug#642012: x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support
On Sun, Sep 18, 2011 at 21:51:21 +0200, Luca Capello wrote:
> Hi there!
>
> On Sun, 18 Sep 2011 17:05:37 +0200, Julien Cristau wrote:
> > On Sun, Sep 18, 2011 at 16:53:13 +0200, Luca Capello wrote:
> >
> >> --8<---------------cut here---------------start------------->8---
> [patch]
> >> --8<---------------cut here---------------end--------------->8---
> >>
> > NAK, as far as I'm concerned this script has no business looking around
> > in gpg.conf.
>
> This leaves the bug opened: I would be glad to explore other solutions,
> but AFAIK without checking gpg.conf and gpg-agent.conf there is no way
> to know *beforehand* 1) if gpg-agent will run and 2) if the latter will
> provide SSH support.
>
> Please note that until now ssh-agent is *never* started if gpg-agent has
> been started at least once with SSH support, for the following reasons
> (and this is another bug, no matter what):
>
> 1) 90gpg-agent is sourced before 90x11-common_ssh-agent
> 2) gpg-agent does not remove its "PID" file when exiting, see #642021
Sounds like that should be fixed.
> 3) 90gpg-agent sources the "PID" file above, which means that
> SSH_AUTH_SOCK is defined *before* any gpg-agent is started at all
Shouldn't the "if ! $GPGAGENT 2>/dev/null; then" line in 90gpg-agent be
followed by unsetting the variables (and maybe removing the file) it
just read since it found out they don't work?
> 4) 90x11-common_ssh-agent starts ssh-agent only if SSH_AUTH_SOCK is
> empty, which is not the case as per point 3
>
> Here is the patch to test the behavior above:
>
> --8<---------------cut here---------------start------------->8---
> --- 90x11-common_ssh-agent.ORG
> +++ 90x11-common_ssh-agent
> @@ -14,6 +14,11 @@
> # use ssh-agent2's ssh-agent1 compatibility mode
> SSHAGENTARGS=-1
> fi
> + else
> + cat <<EOF >>"$HOME"/.xsession-errors
> +/etc/X11/Xsession.d/90x11-common_ssh-agent: SSH_AUTH_SOCK='$SSH_AUTH_SOCK'
> +/etc/X11/Xsession.d/90x11-common_ssh-agent: not starting ssh-agent
> +EOF
> fi
> fi
>
> --8<---------------cut here---------------end--------------->8---
>
> IMHO the real bug is to try to start ssh-agent in a system-wide fashion
> via /etc/X11/Xsession.options, while this is (clearly) a user option.
> This is also why I fear the new Xsession "use-gpg-agent" option at
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412993#20>. The fact
> that ssh_config does not have any way to define that we want the agent
> is probably the original cause of this bug.
>
Can we switch the order so that 1) doesn't apply? And turn ssh-agent
into a no-op when it's started by gpg-agent with ssh support (assuming
it's not already)?
> Finally, may I ask why this file is not provided by openssh-client? I
> could not find any reference in the x11-common changelog.Debian nor
> x11-common Recommends:/Suggests:/Enhances: openssh-client.
>
The changelog suggests this was already in xfree86-common with the
initial xfree86 4.0 upload 11 years ago. I could go look for earlier
changelogs, but I guess "hysterical raisins" pretty much covers it?
Cheers,
Julien
Reply to: