Debian Bug report logs - #642012
x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support

version graph

Package: x11-common; Maintainer for x11-common is Debian X Strike Force <[email protected]>; Source for x11-common is src:xorg (PTS, buildd, popcon).

Affects: openssh-client, gnupg-agent

Reported by: Luca Capello <[email protected]>

Date: Sun, 18 Sep 2011 14:55:21 UTC

Severity: important

Tags: patch

Found in version xorg/1:7.6+8

Full log

Message #17 received at [email protected] (full text, mbox, reply):

Received: (at 642012) by bugs.debian.org; 18 Sep 2011 19:51:50 +0000
From [email protected] Sun Sep 18 19:51:50 2011
X-Spam-Checker-Version: SpamAssassin 3.3.1-bugs.debian.org_2005_01_02
	(2010-03-16) on busoni.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-11.9 required=4.0 tests=BAYES_00,FOURLA,
	HAS_BUG_NUMBER,MURPHY_DRUGS_REL8,PGPSIGNATURE autolearn=ham
	version=3.3.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 14; hammy, 151; neutral, 171; spammy,
	0. spammytokens: hammytokens:0.000-+--H*c:pgp-sha512, 0.000-+--H*u:Gnus,
	0.000-+--H*u:linux, 0.000-+--H*UA:linux, 0.000-+--H*UA:gnu
Return-path: <[email protected]>
Received: from clio.pca.it ([151.1.160.141] helo=clio.genesi.eu)
	by busoni.debian.org with esmtp (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1R5NP3-0003VP-TG
	for [email protected]; Sun, 18 Sep 2011 19:51:50 +0000
Received: from localhost (localhost [127.0.0.1])
	by clio.genesi.eu (Postfix) with ESMTP id D4ED6E5628
	for <[email protected]>; Sun, 18 Sep 2011 21:51:43 +0200 (CEST)
X-Virus-Scanned: amavisd-new at clio.genesi.eu
Received: from clio.genesi.eu ([127.0.0.1])
	by localhost (clio.genesi.eu [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id YqS8vB_p1XWS for <[email protected]>;
	Sun, 18 Sep 2011 21:51:38 +0200 (CEST)
Received: from mantissa.pca.it (ip-85-135.sn2.eutelia.it [83.211.85.135])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by clio.genesi.eu (Postfix) with ESMTPS id 73121E561A
	for <[email protected]>; Sun, 18 Sep 2011 21:51:38 +0200 (CEST)
Received: from gismo.pca.it (unknown [129.194.56.110])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mantissa.pca.it (Postfix) with ESMTPSA id A233821DFB
	for <[email protected]>; Sun, 18 Sep 2011 21:51:37 +0200 (CEST)
Received: by gismo.pca.it (Postfix, from userid 1000)
	id C4DF82089C; Sun, 18 Sep 2011 21:51:29 +0200 (CEST)
From: Luca Capello <[email protected]>
To: [email protected]
Subject: Re: Bug#642012: x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support
References: <[email protected]>
	<[email protected]>
Date: Sun, 18 Sep 2011 21:51:21 +0200
Message-ID: <[email protected]>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"

[Message part 1 (text/plain, inline)]
Hi there!

On Sun, 18 Sep 2011 17:05:37 +0200, Julien Cristau wrote:
> On Sun, Sep 18, 2011 at 16:53:13 +0200, Luca Capello wrote:
>
>> --8<---------------cut here---------------start------------->8---
[patch]
>> --8<---------------cut here---------------end--------------->8---
>> 
> NAK, as far as I'm concerned this script has no business looking around
> in gpg.conf.

This leaves the bug opened: I would be glad to explore other solutions,
but AFAIK without checking gpg.conf and gpg-agent.conf there is no way
to know *beforehand* 1) if gpg-agent will run and 2) if the latter will
provide SSH support.

Please note that until now ssh-agent is *never* started if gpg-agent has
been started at least once with SSH support, for the following reasons
(and this is another bug, no matter what):

1) 90gpg-agent is sourced before 90x11-common_ssh-agent
2) gpg-agent does not remove its "PID" file when exiting, see #642021
3) 90gpg-agent sources the "PID" file above, which means that
   SSH_AUTH_SOCK is defined *before* any gpg-agent is started at all
4) 90x11-common_ssh-agent starts ssh-agent only if SSH_AUTH_SOCK is
   empty, which is not the case as per point 3

Here is the patch to test the behavior above:

--8<---------------cut here---------------start------------->8---
--- 90x11-common_ssh-agent.ORG
+++ 90x11-common_ssh-agent
@@ -14,6 +14,11 @@
       # use ssh-agent2's ssh-agent1 compatibility mode
       SSHAGENTARGS=-1
     fi
+  else
+    cat <<EOF >>"$HOME"/.xsession-errors
+/etc/X11/Xsession.d/90x11-common_ssh-agent: SSH_AUTH_SOCK='$SSH_AUTH_SOCK'
+/etc/X11/Xsession.d/90x11-common_ssh-agent: not starting ssh-agent
+EOF
   fi
 fi
 
--8<---------------cut here---------------end--------------->8---

IMHO the real bug is to try to start ssh-agent in a system-wide fashion
via /etc/X11/Xsession.options, while this is (clearly) a user option.
This is also why I fear the new Xsession "use-gpg-agent" option at
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412993#20>.  The fact
that ssh_config does not have any way to define that we want the agent
is probably the original cause of this bug.

Finally, may I ask why this file is not provided by openssh-client?  I
could not find any reference in the x11-common changelog.Debian nor
x11-common Recommends:/Suggests:/Enhances: openssh-client.

Thx, bye,
Gismo / Luca

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 14:29:12 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.