Debian Bug report logs - #642012
x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support

Full log

🔗 View this message in rfc822 format

X-Loop: [email protected]
Subject: Bug#642012: x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support
Reply-To: Julien Cristau <[email protected]>, [email protected]
Resent-From: Julien Cristau <[email protected]>
Resent-To: [email protected]
Resent-CC: Debian X Strike Force <[email protected]>
X-Loop: [email protected]
Resent-Date: Mon, 19 Sep 2011 13:00:56 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Debian-PR-Message: followup 642012
X-Debian-PR-Package: x11-common
X-Debian-PR-Keywords: patch
X-Debian-PR-Source: xorg
Received: via spool by [email protected] id=B642012.131643704716541
          (code B ref 642012); Mon, 19 Sep 2011 13:00:56 +0000
Received: (at 642012) by bugs.debian.org; 19 Sep 2011 12:57:27 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.1-bugs.debian.org_2005_01_02
	(2010-03-16) on busoni.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=4.0 tests=BAYES_00,FOURLA,
	HAS_BUG_NUMBER,MURPHY_DRUGS_REL8 autolearn=ham
	version=3.3.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 8; hammy, 151; neutral, 196; spammy,
	0. spammytokens: hammytokens:0.000-+--H*rp:U*julien,
	0.000-+--HX-Spam-Relays-External:sk:julien@, 0.000-+--H*RU:sk:julien@,
	0.000-+--H*rp:D*cristau.org, 0.000-+--H*RU:91.121.16.100
Received: from coloquinte.cristau.org ([91.121.16.100])
	by busoni.debian.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.72)
	(envelope-from <[email protected]>)
	id 1R5dPQ-0004Hs-Pu
	for [email protected]; Mon, 19 Sep 2011 12:57:22 +0000
Received: by coloquinte.cristau.org (Postfix, from userid 1000)
	id 62965BAD3; Mon, 19 Sep 2011 14:57:14 +0200 (CEST)
Date: Mon, 19 Sep 2011 14:57:14 +0200
From: Julien Cristau <[email protected]>
To: Luca Capello <[email protected]>, [email protected]
Message-ID: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>
X-Operating-System: Linux 2.6.26-2-686 i686
User-Agent: Mutt/1.5.18 (2008-05-17)

On Sun, Sep 18, 2011 at 21:51:21 +0200, Luca Capello wrote:

> Hi there!
> 
> On Sun, 18 Sep 2011 17:05:37 +0200, Julien Cristau wrote:
> > On Sun, Sep 18, 2011 at 16:53:13 +0200, Luca Capello wrote:
> >
> >> --8<---------------cut here---------------start------------->8---
> [patch]
> >> --8<---------------cut here---------------end--------------->8---
> >> 
> > NAK, as far as I'm concerned this script has no business looking around
> > in gpg.conf.
> 
> This leaves the bug opened: I would be glad to explore other solutions,
> but AFAIK without checking gpg.conf and gpg-agent.conf there is no way
> to know *beforehand* 1) if gpg-agent will run and 2) if the latter will
> provide SSH support.
> 
> Please note that until now ssh-agent is *never* started if gpg-agent has
> been started at least once with SSH support, for the following reasons
> (and this is another bug, no matter what):
> 
> 1) 90gpg-agent is sourced before 90x11-common_ssh-agent
> 2) gpg-agent does not remove its "PID" file when exiting, see #642021

Sounds like that should be fixed.

> 3) 90gpg-agent sources the "PID" file above, which means that
>    SSH_AUTH_SOCK is defined *before* any gpg-agent is started at all

Shouldn't the "if ! $GPGAGENT 2>/dev/null; then" line in 90gpg-agent be
followed by unsetting the variables (and maybe removing the file) it
just read since it found out they don't work?

> 4) 90x11-common_ssh-agent starts ssh-agent only if SSH_AUTH_SOCK is
>    empty, which is not the case as per point 3
> 
> Here is the patch to test the behavior above:
> 
> --8<---------------cut here---------------start------------->8---
> --- 90x11-common_ssh-agent.ORG
> +++ 90x11-common_ssh-agent
> @@ -14,6 +14,11 @@
>        # use ssh-agent2's ssh-agent1 compatibility mode
>        SSHAGENTARGS=-1
>      fi
> +  else
> +    cat <<EOF >>"$HOME"/.xsession-errors
> +/etc/X11/Xsession.d/90x11-common_ssh-agent: SSH_AUTH_SOCK='$SSH_AUTH_SOCK'
> +/etc/X11/Xsession.d/90x11-common_ssh-agent: not starting ssh-agent
> +EOF
>    fi
>  fi
>  
> --8<---------------cut here---------------end--------------->8---
> 
> IMHO the real bug is to try to start ssh-agent in a system-wide fashion
> via /etc/X11/Xsession.options, while this is (clearly) a user option.
> This is also why I fear the new Xsession "use-gpg-agent" option at
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412993#20>.  The fact
> that ssh_config does not have any way to define that we want the agent
> is probably the original cause of this bug.
> 
Can we switch the order so that 1) doesn't apply?  And turn ssh-agent
into a no-op when it's started by gpg-agent with ssh support (assuming
it's not already)?

> Finally, may I ask why this file is not provided by openssh-client?  I
> could not find any reference in the x11-common changelog.Debian nor
> x11-common Recommends:/Suggests:/Enhances: openssh-client.
> 
The changelog suggests this was already in xfree86-common with the
initial xfree86 4.0 upload 11 years ago.  I could go look for earlier
changelogs, but I guess "hysterical raisins" pretty much covers it?

Cheers,
Julien

Send a report that this bug log contains spam.