Bug#855868: [pkg-gnupg-maint] Bug#855868: GPG_AGENT_INFO and SSH_AUTH_SOCK not set in wayland sessions
On Fri 2017-09-08 23:56:40 +0100, rufo wrote: > On 08/09/17 04:44, Daniel Kahn Gillmor wrote: >> >> OK, the proposed fix is now part of the gnupg2 2.2.0-3 package, which >> was just uploaded to unstable. >> > > Looks good. Thanks! thanks for letting me know it worked for you :) > Just looked into this - the generator script is actually working > properly, but the env vars it sets are not being inherited by your shell > when you ssh in. > > It looks like this is the intended behaviour of openssh, which builds an > bare-bones env [1] before invoking your shell with execve. > > If a user wants SSH_AUTH_SOCK to be set inside their ssh session, the > easiest way is probably for them to copy the old Xsession.d script into > their .bashrc or similar. if they're going to modify .bashrc, they might as well just stick in a simple: export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" And not bother with writing "enable-ssh-support" into gpg-agent.conf :) Thanks for the followup, --dkg signature.asc Description: PGP signature
Bug#855868: [pkg-gnupg-maint] Bug#855868: GPG_AGENT_INFO and SSH_AUTH_SOCK not set in wayland sessions
On 08/09/17 04:44, Daniel Kahn Gillmor wrote: > > OK, the proposed fix is now part of the gnupg2 2.2.0-3 package, which > was just uploaded to unstable. > Looks good. Thanks! > i was expecting to see it work if i log into a user account via ssh, on > a machine with libpam-systemd installed, and with that user's > ~/.gnupg/gpg-agent.conf having enable-ssh-support. > > However, it doesn't seem to work (the environment variable isn't set in > the new ssh session, despite ensuring that no other process was active > for that user before logging in), and i confess i don't know why -- > running /usr/lib/systemd/user-environment-generators/90gpg-agent by hand > produces the output i expect. > Just looked into this - the generator script is actually working properly, but the env vars it sets are not being inherited by your shell when you ssh in. It looks like this is the intended behaviour of openssh, which builds an bare-bones env [1] before invoking your shell with execve. If a user wants SSH_AUTH_SOCK to be set inside their ssh session, the easiest way is probably for them to copy the old Xsession.d script into their .bashrc or similar. --rufo [1] https://github.com/openssh/openssh-portable/blob/de4ae07f12dabf8815ecede54235fce5d22e3f63/session.c#L963
Bug#855868: [pkg-gnupg-maint] Bug#855868: GPG_AGENT_INFO and SSH_AUTH_SOCK not set in wayland sessions
On Thu 2017-09-07 21:00:14 -0400, Daniel Kahn Gillmor wrote: > I'll get this uploaded shortly. OK, the proposed fix is now part of the gnupg2 2.2.0-3 package, which was just uploaded to unstable. i was expecting to see it work if i log into a user account via ssh, on a machine with libpam-systemd installed, and with that user's ~/.gnupg/gpg-agent.conf having enable-ssh-support. However, it doesn't seem to work (the environment variable isn't set in the new ssh session, despite ensuring that no other process was active for that user before logging in), and i confess i don't know why -- running /usr/lib/systemd/user-environment-generators/90gpg-agent by hand produces the output i expect. Any suggestions for how to debug it would be welcome. --dkg
Bug#855868: [pkg-gnupg-maint] Bug#855868: GPG_AGENT_INFO and SSH_AUTH_SOCK not set in wayland sessions
On Mon 2017-08-21 15:18:30 +0200, Raphael Hertzog wrote:
> On Sun, 30 Jul 2017, rufo wrote:
>> Perhaps the solution might involve using systemd's
>> environment-generators [1]. This seems to be the new preferred way to
>> set environmental variables like SSH_AUTH_SOCK and the replacement for
>> putting scripts in /etc/X11/Xsession.d/.
>>
>> For example the gnupg-agent package could create the file
>> /usr/lib/systemd/user-environment-generators/90gpg-agent containing
>> something like this:
>>
>> #!/bin/bash
>>
>> if [ -n "$(gpgconf --list-options gpg-agent | \
>> awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then
>> echo SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
>> fi
>>
>> This is what I'm using at the moment and it seems to work well. What do
>> you think?
>
> I agree it looks like a good solution. Daniel, can you implement this
> please?
sure, i can do this. It's a little bit weird that
~/.gnupg/gpg-agent.conf will affect the SSH_AUTH_SOCK env var, but it at
least gives parity with the Xsession.d stuff.
What's funny is that gpg-agent always has ssh-agent enabled these days,
so the option itself is a no-op except for its use in these two session
management scripts.
That said, i don't want to export SSH_AUTH_SOCK by default, because the
people who prefer OpenSSH's ssh-agent should have that used
preferentially.
Is there any plan to try to get OpenSSH's ssh-agent to export
SSH_AUTH_SOCK in its own generator?
> Debian Unstable now defaults to Wayland for GNOME users and it would be
> nice to have SSH agent working out of the box again.
You have a weird definition of "out of the box" if you think adding
"enable-ssh-support" to ~/.gnupg/gpg-agent.conf is "out of the box" but
i'm ok with it :)
I'll get this uploaded shortly.
--dkg
signature.asc
Description: PGP signature
Bug#855868: [pkg-gnupg-maint] Bug#855868: GPG_AGENT_INFO and SSH_AUTH_SOCK not set in wayland sessions
On 21/08/17 14:18, Raphael Hertzog wrote:
>
> I agree it looks like a good solution. Daniel, can you implement this
> please?
>
Quick amendment to my previous suggestion.
At least until this patch
(https://git.gnome.org/browse/gnome-session/commit/?id=818266a898b803960ce8dd6d330c1ef6934bba46)
lands in gnome-session-bin, we also need to set
GSM_SKIP_SSH_AGENT_WORKAROUND to prevent our SSH_AUTH_SOCK from being
clobbered. Updated script below.
--rufo
#!/bin/bash
if [ -n "$(gpgconf --list-options gpg-agent | \
awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then
echo SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
echo GSM_SKIP_SSH_AGENT_WORKAROUND=true
fi
Bug#855868: [pkg-gnupg-maint] Bug#855868: GPG_AGENT_INFO and SSH_AUTH_SOCK not set in wayland sessions
Hello,
On Sun, 30 Jul 2017, rufo wrote:
> Perhaps the solution might involve using systemd's
> environment-generators [1]. This seems to be the new preferred way to
> set environmental variables like SSH_AUTH_SOCK and the replacement for
> putting scripts in /etc/X11/Xsession.d/.
>
> For example the gnupg-agent package could create the file
> /usr/lib/systemd/user-environment-generators/90gpg-agent containing
> something like this:
>
> #!/bin/bash
>
> if [ -n "$(gpgconf --list-options gpg-agent | \
> awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then
> echo SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
> fi
>
> This is what I'm using at the moment and it seems to work well. What do
> you think?
I agree it looks like a good solution. Daniel, can you implement this
please?
Debian Unstable now defaults to Wayland for GNOME users and it would be
nice to have SSH agent working out of the box again.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Bug#855868: [pkg-gnupg-maint] Bug#855868: GPG_AGENT_INFO and SSH_AUTH_SOCK not set in wayland sessions
Hi folks,
Perhaps the solution might involve using systemd's
environment-generators [1]. This seems to be the new preferred way to
set environmental variables like SSH_AUTH_SOCK and the replacement for
putting scripts in /etc/X11/Xsession.d/.
For example the gnupg-agent package could create the file
/usr/lib/systemd/user-environment-generators/90gpg-agent containing
something like this:
#!/bin/bash
if [ -n "$(gpgconf --list-options gpg-agent | \
awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then
echo SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
fi
This is what I'm using at the moment and it seems to work well. What do
you think?
--rufo
[1]
https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
Bug#855868: [pkg-gnupg-maint] Bug#855868: GPG_AGENT_INFO and SSH_AUTH_SOCK not set in wayland sessions
On Wed 2017-02-22 11:17:59 -0500, Laurent Bigonville wrote: > In X11 session, GPG_AGENT_INFO (and SSH_AUTH_SOCK) are set in the user > environment. SSH_AUTH_SOCK should only be set in the user environment by gpg-agent if enable-ssh-support is set in ~/.gnupg/gpg-agent.conf (see /etc/X11/Xsession.d/90gpg-agent for details). GPG_AGENT_INFO is only necessary for users of the of GnuPG's 1.4 and 2.0 branches, which upstream describes as "in deep maintenance mode" and "EOL at the end of 2017", respectively. stretch will not ship the GnuPG 2.0 branch at all, and will ship the 1.4 branch only as gnupg1, which is explicitly deprecated. > With GNOME running a wayland session, this is not set. > > So the question is, what are the concequence of these environment > variable not being set? And what should be the solution? Should all the > software stop relying on these environment variables? Or should the > compositors export that to the user environment. I'm happy if users of modern systems like wayland completely ignore archaisms like GPG_AGENT_INFO. So we can check that one off :) ssh will continue to rely on SSH_AUTH_SOCK to decide which agent to use, of course. And modern versions of gpg-agent will always have the ssh-agent authentication socket available by default (regardless of the enable-ssh-support setting) in the "standard socket" location of: /run/user/$(id -u)/gnupg/S.gpg-agent.ssh The question is whether the gpg-agent package ought to try to set the environment variable, or whether some other part of wayland session initiation should take care of it. if OpenSSH's ssh-agent is installed on a system that doesn't have enable-ssh-support set, does it ssh-agent itself get launched? Currently we're only setting SSH_AUTH_SOCK in the gpg-agent package because it has been historically set based on older invocations of gpg-agent (which used randomized socket paths). With the modern gpg-agent arrangement and the standard socket path, i'm less convinced that this variable should be controlled by settings in ~/.gnupg/gpg-agent.conf, except for the fact that people might historically expect it. Maybe switching to Wayland is a good opportunity for people to switch over to some more sensible configuration mechanism, but i don't know what that would be specifically. If someone wants to propose such a mechanism, i'm happy to review it. Thanks for your attention to these details, Laurent! --dkg signature.asc Description: PGP signature
