Bug#828739: ssh-agent lost on nested ssh sessions
Hello, the next package 2.3+ds-4 fixes the issue. Thanks for your patience, Jerome On Mon, 13 Feb 2017 13:24:28 +0100 Harald Dunkel wrote: Hi Jerome, Any news on this problem? Apparently it is still unresolved for Stretch, even though this report was filed in time :-(. This problem is *highly* painful if you have to work a lot on remote sites. Currently I get less problems if I keep libpam-ssh uninstalled, which is surely not the idea behind this package. Would you mind to increase the severity and forward this report to upstream? Thanx very much Harri -- Jerome BENOIT | calculus+at-rezozer^dot*net https://qa.debian.org/developer.php?login=calcu...@rezozer.net AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B OpenPGP_signature Description: OpenPGP digital signature
Bug#828739: ssh-agent lost on nested ssh sessions
On Mon, 13 Feb 2017 13:24:28 +0100 Harald Dunkel wrote: Hello Harri, sorry for my late reply. I have just got a fresh look with bugreport #995452 < https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995452 > in mind. I can indeed reproduce your issue. However I cannot see the point to nested connection. Can you give me a practical usage ? Hi Jerome, Any news on this problem? Apparently it is still unresolved for Stretch, even though this report was filed in time :-(. This problem is *highly* painful if you have to work a lot on remote sites. Currently I get less problems if I keep libpam-ssh uninstalled, which is surely not the idea behind this package. Would you mind to increase the severity and forward this report to upstream? Upstream is actually dormant. Cheers, Jerome Thanx very much Harri -- Jerome BENOIT | calculus+at-rezozer^dot*net https://qa.debian.org/developer.php?login=calcu...@rezozer.net AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B OpenPGP_signature Description: OpenPGP digital signature
Bug#828739: ssh-agent lost on nested ssh sessions
Hi Jerome, Any news on this problem? Apparently it is still unresolved for Stretch, even though this report was filed in time :-(. This problem is *highly* painful if you have to work a lot on remote sites. Currently I get less problems if I keep libpam-ssh uninstalled, which is surely not the idea behind this package. Would you mind to increase the severity and forward this report to upstream? Thanx very much Harri
Bug#828739: ssh-agent lost on nested ssh sessions
Hi Jerome, On 06/27/16 18:27, Jerome BENOIT wrote: > > Was this issue present for former pam_ssh package ? > I have this problem for Jessie (libpam-ssh version 2.01-2) and Wheezy (version 1.92-15) as well. Regards Harri
Bug#828739: ssh-agent lost on nested ssh sessions
Hello Again, I am having a closer look. On 27/06/16 13:02, Harald Dunkel wrote: > Package: libpam-ssh > Version: 2.1+ds1-1 > > If I ssh to a host "unstable", run "ssh localhost" or > "ssh `hostname`", and exit the nested ssh session again, then > the ssh-agent started by pam_ssh at first login time is lost. Was this issue present for former pam_ssh package ? > Hard to explain. Sample session: > > % ssh harri@unstable > > % tty > /dev/pts/6 > > % ps -ef | grep ssh-agen[t] > harri 4824 1 0 13:39 ?00:00:00 ssh-agent > > % ssh localhost > > % tty > /dev/pts/7 > > % ps -ef | grep ssh-agen[t] > harri 4824 1 0 13:39 ?00:00:00 ssh-agent > > % exit > logout > Connection to localhost closed. > > % ps -ef | grep ssh-agen[t] > > % tty > /dev/pts/6 > > The result is that I get a ssh-agent just by chance, depending > upon the number of logins and the nesting level. > > Here is the pam configuration for ssh. > grep -v ^\# /etc/pam.d/common-auth : > > auth[success=1 default=ignore] pam_unix.so nullok_secure > authrequisite pam_deny.so > authrequiredpam_permit.so > authoptionalpam_ssh.so use_first_pass > authoptionalpam_cap.so > > grep -v ^\# /etc/pam.d/common-session : > > session [default=1] pam_permit.so > session requisite pam_deny.so > session requiredpam_permit.so > session requiredpam_unix.so > session optionalpam_ssh.so > session optionalpam_ck_connector.so nox11 > > egrep -v ^\#\|^\$ /etc/pam.d/sshd : > @include common-auth > accountrequired pam_nologin.so > @include common-account > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so close > sessionrequired pam_loginuid.so > sessionoptional pam_keyinit.so force revoke > @include common-session > sessionoptional pam_motd.so motd=/run/motd.dynamic > sessionoptional pam_motd.so noupdate > sessionoptional pam_mail.so standard noenv # [1] > sessionrequired pam_limits.so > sessionrequired pam_env.so # [1] > sessionrequired pam_env.so user_readenv=1 > envfile=/etc/default/locale > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so open > @include common-password > > > Regards > Harri >
Bug#828739: ssh-agent lost on nested ssh sessions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Thanks for your report. Jerome On 27/06/16 13:02, Harald Dunkel wrote: > Package: libpam-ssh > Version: 2.1+ds1-1 > > If I ssh to a host "unstable", run "ssh localhost" or > "ssh `hostname`", and exit the nested ssh session again, then > the ssh-agent started by pam_ssh at first login time is lost. > Hard to explain. Sample session: > > % ssh harri@unstable > > % tty > /dev/pts/6 > > % ps -ef | grep ssh-agen[t] > harri 4824 1 0 13:39 ?00:00:00 ssh-agent > > % ssh localhost > > % tty > /dev/pts/7 > > % ps -ef | grep ssh-agen[t] > harri 4824 1 0 13:39 ?00:00:00 ssh-agent > > % exit > logout > Connection to localhost closed. > > % ps -ef | grep ssh-agen[t] > > % tty > /dev/pts/6 > > The result is that I get a ssh-agent just by chance, depending > upon the number of logins and the nesting level. > > Here is the pam configuration for ssh. > grep -v ^\# /etc/pam.d/common-auth : > > auth[success=1 default=ignore] pam_unix.so nullok_secure > authrequisite pam_deny.so > authrequiredpam_permit.so > authoptionalpam_ssh.so use_first_pass > authoptionalpam_cap.so > > grep -v ^\# /etc/pam.d/common-session : > > session [default=1] pam_permit.so > session requisite pam_deny.so > session requiredpam_permit.so > session requiredpam_unix.so > session optionalpam_ssh.so > session optionalpam_ck_connector.so nox11 > > egrep -v ^\#\|^\$ /etc/pam.d/sshd : > @include common-auth > accountrequired pam_nologin.so > @include common-account > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so close > sessionrequired pam_loginuid.so > sessionoptional pam_keyinit.so force revoke > @include common-session > sessionoptional pam_motd.so motd=/run/motd.dynamic > sessionoptional pam_motd.so noupdate > sessionoptional pam_mail.so standard noenv # [1] > sessionrequired pam_limits.so > sessionrequired pam_env.so # [1] > sessionrequired pam_env.so user_readenv=1 > envfile=/etc/default/locale > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so open > @include common-password > > > Regards > Harri > - -- Jerome BENOIT | calculus+at-rezozer^dot*net https://qa.debian.org/developer.php?login=calcu...@rezozer.net AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B -BEGIN PGP SIGNATURE- iQQcBAEBCgAGBQJXcTxcAAoJED+SGaZ/NsaLfSIgAJszk7N/lqJL5ISi02AEUjCv NXLIN2EZSFWToqeWpT/wryuDPYBiUksBihkIe9fRGUEP92X0UTrNdcZLuLLVLG30 li+xMyxeOE8zyLxYVHmM0HKhLG2hd01/bjrtTpHcMCI0JE5fKkWh0945MiBrNu+n 1n3NqROSIe48h5DJQc1UVyx7EcIAIxzeV8vcRBuZYV0HF1qVLNYgMOe8o18JsrrC nA63EWg3zQuZ2TYyrLPJ8tkmB2998Wl68vzoSrW1oZ90VRnrxO3atrvAmMeAGWoE fnbXZroM6ULZg90EaN139wrrMYjSpFqTx0hAHg+OsefWY7E9U5ebB3DPZEhUpa3Q xmx5ICLWxuXlrKvNawliDYcMKoE70MSxzHkQsMUbDSPDInzqqTGEBttzrXSTq6Jb nf5KtR0Pa99Hise+c6mX0zdLIkiELF3HHw8Fx2zcoG6BqEvyNMh/nLl2WBVu1KQ8 BqAahn3EQD7n4mNGvs0AZHkJ86i+40v01DYA/AykciEHY7jAnOiiUoOOci4DtwTb B1Sc6PSWzLq7UbHkAF6hWo6/KuR6oB150I7AMsQnmT2wPR83Rvs+Eb23uhm8eL1g ND1eTC0kZuqk4hGjR+Olm0rl72JNCM6CCdPgfzefYgcsHuD63JT9wXPyj1ISOEHI jPN6t9DkV0HZHbabg7URToQBn1aJ6LbwaKEzmz/4j/7DQIHZ6d8weWLq8G46s9TI M9e0VziKhOZe2r8Ohm6UsTeWPYjyW/0XZ/ZBhl6uiqUn2kUVEP/rBWwhRViqslkc 9raawvSYLB15IWcDLwD2FQCsSFJ+ln0BzlSHZV8zZHnvXSf75GxowF7DgZ19wR+v QqlDdDDc1bGlnMpPrfTY9fOA0x46s6YLG19u3LiWN765sJaUub6tuARBvj6YC8Ga /IxL5h6c+eNSBA6SSjhUPDCZAJxN+UVQuchMNv1HOqKejT4rMpQ4YHVcfCLodsDj QSryN9AYtmm6oWFbjNYz/UpJHqJ/pRevKSMhGFUh/ZPLChh8Z/IK5ZsZt7/9BXoA 4hMwsXtYqm9ZwMQrz1PA0lBrW7c/h9syLCuxBzf3srmd9RbqNdHYfBu806CGdXxw 2C8w42+80SlZTc0VeLjmqp204iRoGA0BlhSdUkgT5KtibWCt10iQGPSzoXk4MHcy qdEf9YDFUv/L/BrfNa0rLNzC+ruUQU+0I77Toef0Z893xTAOojlktGLRTpsDzWRM H1a5XeTLn0BbMGZ1HpUVOKh+Fhbs6bJek2foIUSPrOgsfD/EJWvju3OziRgTzHjo EsD82EN5BU926lAfZaAzBA4VR7aSkqk/5RGk3Wbdb1PxU/vEj5imZvEKvOSQLNY= =J28x -END PGP SIGNATURE-
Bug#828739: ssh-agent lost on nested ssh sessions
Package: libpam-ssh Version: 2.1+ds1-1 If I ssh to a host "unstable", run "ssh localhost" or "ssh `hostname`", and exit the nested ssh session again, then the ssh-agent started by pam_ssh at first login time is lost. Hard to explain. Sample session: % ssh harri@unstable % tty /dev/pts/6 % ps -ef | grep ssh-agen[t] harri 4824 1 0 13:39 ?00:00:00 ssh-agent % ssh localhost % tty /dev/pts/7 % ps -ef | grep ssh-agen[t] harri 4824 1 0 13:39 ?00:00:00 ssh-agent % exit logout Connection to localhost closed. % ps -ef | grep ssh-agen[t] % tty /dev/pts/6 The result is that I get a ssh-agent just by chance, depending upon the number of logins and the nesting level. Here is the pam configuration for ssh. grep -v ^\# /etc/pam.d/common-auth : auth[success=1 default=ignore] pam_unix.so nullok_secure authrequisite pam_deny.so authrequiredpam_permit.so authoptionalpam_ssh.so use_first_pass authoptionalpam_cap.so grep -v ^\# /etc/pam.d/common-session : session [default=1] pam_permit.so session requisite pam_deny.so session requiredpam_permit.so session requiredpam_unix.so session optionalpam_ssh.so session optionalpam_ck_connector.so nox11 egrep -v ^\#\|^\$ /etc/pam.d/sshd : @include common-auth accountrequired pam_nologin.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close sessionrequired pam_loginuid.so sessionoptional pam_keyinit.so force revoke @include common-session sessionoptional pam_motd.so motd=/run/motd.dynamic sessionoptional pam_motd.so noupdate sessionoptional pam_mail.so standard noenv # [1] sessionrequired pam_limits.so sessionrequired pam_env.so # [1] sessionrequired pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password Regards Harri