Debian Bug report logs - #642012
x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support

version graph

Package: x11-common; Maintainer for x11-common is Debian X Strike Force <[email protected]>; Source for x11-common is src:xorg (PTS, buildd, popcon).

Affects: openssh-client, gnupg-agent

Reported by: Luca Capello <[email protected]>

Date: Sun, 18 Sep 2011 14:55:21 UTC

Severity: important

Tags: patch

Found in version xorg/1:7.6+8

Full log

🔗 View this message in rfc822 format

X-Loop: [email protected]
Subject: Bug#642012: x11-common: ssh-agent Xsession script does not check if gpg-agent will enable SSH support
Reply-To: Luca Capello <[email protected]>, [email protected]
Resent-From: Luca Capello <[email protected]>
Resent-To: [email protected]
Resent-CC: Debian X Strike Force <[email protected]>
X-Loop: [email protected]
Resent-Date: Tue, 21 Feb 2012 12:39:13 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Debian-PR-Message: followup 642012
X-Debian-PR-Package: x11-common
X-Debian-PR-Keywords: patch
X-Debian-PR-Source: xorg
Received: via spool by [email protected] id=B642012.13298278016285
          (code B ref 642012); Tue, 21 Feb 2012 12:39:13 +0000
Received: (at 642012) by bugs.debian.org; 21 Feb 2012 12:36:41 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.1-bugs.debian.org_2005_01_02
	(2010-03-16) on busoni.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-10.9 required=4.0 tests=BAYES_00,FOURLA,
	HAS_BUG_NUMBER,IMPRONONCABLE_2,MURPHY_DRUGS_REL8,PGPSIGNATURE autolearn=ham
	version=3.3.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 25; hammy, 151; neutral, 439; spammy,
	0. spammytokens: hammytokens:0.000-+--H*c:pgp-sha512, 0.000-+--manpage,
	0.000-+--H*u:Gnus, 0.000-+--H*u:linux, 0.000-+--H*UA:linux
Received: from clio.pca.it ([151.1.160.141] helo=clio.genesi.eu)
	by busoni.debian.org with esmtp (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1RzoxI-0001c4-G4; Tue, 21 Feb 2012 12:36:34 +0000
Received: from localhost (localhost [127.0.0.1])
	by clio.genesi.eu (Postfix) with ESMTP id E11FA1E5887;
	Tue, 21 Feb 2012 13:36:21 +0100 (CET)
X-Virus-Scanned: amavisd-new at clio.genesi.eu
Received: from clio.genesi.eu ([127.0.0.1])
	by localhost (clio.genesi.eu [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ctqN4-bVOR8T; Tue, 21 Feb 2012 13:36:16 +0100 (CET)
Received: from mantissa.pca.it (ip-85-135.sn2.eutelia.it [83.211.85.135])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by clio.genesi.eu (Postfix) with ESMTPS id ED1B914FAA7;
	Tue, 21 Feb 2012 13:36:15 +0100 (CET)
Received: from gismo.pca.it (adsl-84-227-204-198.adslplus.ch [84.227.204.198])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mantissa.pca.it (Postfix) with ESMTPSA id E6F9621FA7;
	Tue, 21 Feb 2012 13:36:14 +0100 (CET)
Received: by gismo.pca.it (Postfix, from userid 1000)
	id 0D358232DA; Tue, 21 Feb 2012 13:36:14 +0100 (CET)
From: Luca Capello <[email protected]>
To: [email protected]
Cc: "Hellekin O. Wolf" <[email protected]>,
    [email protected]
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.92 (gnu/linux)
Date: Tue, 21 Feb 2012 13:36:11 +0100
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
X-CrossAssassin-Score: 2

[Message part 1 (text/plain, inline)]
usertags 642012 + pca.it-authentication
thanks

Hi there!

Hellekin, the patch you have sent is referring to another bug, see:

  <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444103#15>

BTW, please always check if you need to Cc: other people interested in
the bug (you did not Cc: me, so I was not aware of your replies).

On Mon, 26 Sep 2011 16:36:52 +0200, Luca Capello wrote:
> On Mon, 19 Sep 2011 14:57:14 +0200, Julien Cristau wrote:
>> On Sun, Sep 18, 2011 at 21:51:21 +0200, Luca Capello wrote:
>>> This leaves the bug opened: I would be glad to explore other solutions,
>>> but AFAIK without checking gpg.conf and gpg-agent.conf there is no way
>>> to know *beforehand* 1) if gpg-agent will run and 2) if the latter will
>>> provide SSH support.
>
> This is the real problem.
>
>>> Please note that until now ssh-agent is *never* started if gpg-agent has
>>> been started at least once with SSH support, for the following reasons
>>> (and this is another bug, no matter what):
>>> 
>>> 1) 90gpg-agent is sourced before 90x11-common_ssh-agent
>>> 2) gpg-agent does not remove its "PID" file when exiting, see #642021
>>
>> Sounds like that should be fixed.
>
> Patch sent upstream and block added.
>
>   <http://news.gmane.org/find-root.php?message_id=1316457193-26043-1-git-send-email-luca%40pca.it>
>   <http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;bug=642021>

Upstream's opinion is that the "PID" file must not be removed:

  <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642021#33>

>>> 3) 90gpg-agent sources the "PID" file above, which means that
>>>    SSH_AUTH_SOCK is defined *before* any gpg-agent is started at all
>>
>> Shouldn't the "if ! $GPGAGENT 2>/dev/null; then" line in 90gpg-agent be
>> followed by unsetting the variables (and maybe removing the file) it
>> just read since it found out they don't work?
>
> Good catch, I will follow-up on the other bug report.  However,
> unsetting (at least) the SSH_AUTH_SOCK variable is not correct, because
> it could be defined in ~/.Xsessionrc.

According to its manpage, it is ssh-agent that sets this variable, so
any value in ~/.Xsessionrc (sourced by 40x11-common_xsessionrc, so
before any 90*agent) should be simply ignored:

  A UNIX-___domain socket is created and the name of this socket is
  stored in the SSH_AUTH_SOCK environment variable.  The socket is
  made accessible only to the current user.  This method is easily
  abused by root or another instance of the same user.

However, given upstream's opinion on the "PID" file not to be removed, I
would simply unset the variables.  This at least to be sure that
variables from dead gpg-agent processes will not influence the current
login.

>>> 4) 90x11-common_ssh-agent starts ssh-agent only if SSH_AUTH_SOCK is
>>>    empty, which is not the case as per point 3
> [...]
>>> IMHO the real bug is to try to start ssh-agent in a system-wide fashion
>>> via /etc/X11/Xsession.options, while this is (clearly) a user option.
>>> This is also why I fear the new Xsession "use-gpg-agent" option at
>>> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412993#20>.  The fact
>>> that ssh_config does not have any way to define that we want the agent
>>> is probably the original cause of this bug.
>>> 
>> Can we switch the order so that 1) doesn't apply?  And turn ssh-agent
>> into a no-op when it's started by gpg-agent with ssh support (assuming
>> it's not already)?
>
> I still fail to see your solution: when both Xsession scripts do their
> checks there is no agent running at all, so reverting the order should
> not change anything.  Again, how do you know that gpg-agent will be
> started with SSH support?

The key is SSH_AUTH_SOCK, which should be *anyway* set is gpg-agent
should be started with the SSH support, which is covered by:

  <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444103#15>

Git patch attached.  Test packages fixing #444103, #642012 and #642021
are available at:

  <http://people.debian.org/~gismo/tmp/gnupg2_2.0.18-3~gismo444103.642012.642021.1.dsc>

>>> Finally, may I ask why this file is not provided by openssh-client?  I
>>> could not find any reference in the x11-common changelog.Debian nor
>>> x11-common Recommends:/Suggests:/Enhances: openssh-client.
>>> 
>> The changelog suggests this was already in xfree86-common with the
>> initial xfree86 4.0 upload 11 years ago.  I could go look for earlier
>> changelogs, but I guess "hysterical raisins" pretty much covers it?
>
> I came to the same conclusion.  However, I still think openssh-client
> would be a better place, because until now ssh-agent is started
> unconditionally without asking the user (and FWIW not event the
> sysadmin).  The fact that there is no way to have ssh-agent "configured"
> through a user variable changes the whole situations, so I will not
> bother any more with this.
>
> Attached a Git patch to add the Enhances: above, including dbus-x11 for
> the very same reason.

The last sentence is independent of the gpg-agent stuff, can it be
included anyway?

Thx, bye,
Gismo / Luca


[0002-debian-gnupg-agent.xsession-642012-fix-90x11-common_.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 14:25:35 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.