[pkg-gnupg-maint] Bug#855868: GPG_AGENT_INFO and SSH_AUTH_SOCK not set in wayland sessions
Simon McVittie
smcv at debian.org
Wed Feb 22 19:28:19 UTC 2017
On Wed, 22 Feb 2017 at 17:17:59 +0100, Laurent Bigonville wrote:
> In X11 session, GPG_AGENT_INFO (and SSH_AUTH_SOCK) are set in the user
> environment.
More specifically, SSH_AUTH_SOCK is set if and only if enable-ssh-support
is found in the gpg-agent configuration. (If not, 90x11-common_ssh-agent
starts the OpenSSH SSH agent instead.)
$GPG_AGENT_INFO is actually not needed any more, because the gpg-agent's
authors also control the gpg client, and have adapted it to look for the
well-known socket in $XDG_RUNTIME_DIR automatically; if I understand
correctly, the variable is still set to reassure third-party tools
like keychain[1] that they don't need to.
However, the OpenSSH client does not look for a well-known socket, so it
will not use gpg-agent's socket without $SSH_AUTH_SOCK being set to
something.
[1] https://tracker.debian.org/pkg/keychain
> With GNOME running a wayland session, this is not set.
/usr/share/gdm/env.d exists, but it's a stopgap solution that is unlikely
to be sufficiently expressive to deal with conditionals like the ones
in the Xsession.d snippet. It's also completely gdm-specific.
Recent gdm runs a login shell (!) when starting a Wayland session, for
feature parity with historical behaviour of Red Hat derivatives in
X11 (they historically ran the equivalent of Xsession in a login shell,
whereas Debian derivatives didn't). This is obviously a nasty hack
that the gdm maintainers are not very happy about.
https://github.com/systemd/systemd/pull/5131 is an attempt at a better
solution, and will be in systemd 233. I believe gdm 3.24 will import
variables from that.
gdm either does, or used to, forcibly set
SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/keyring/ssh, which I believe is the path
that GNOME Keyring would use for *its* integrated SSH agent if enabled.
I don't know what GNOME's long-term plan is for the SSH agent. Keyring
used to provide a GPG agent too, but has dropped that functionality in
favour of gpg-agent and pinentry; I wonder whether making GNOME tools
act as frontends to gpg-agent for SSH agent services too would be viable?
Here is the hack I currently use for this:
% cat ~/.config/systemd/user/gpg-agent.service.d/gnome.conf
[Service]
ExecStartPost=/usr/bin/dbus-update-activation-environment --systemd GPG_AGENT_INFO=%t/gnupg/S.gpg-agent:0:1 SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh
ExecStartPost=/bin/mkdir -p -m700 %t/keyring
# Forcibly set by gdm for Wayland sessions :-(
ExecStartPost=/bin/ln -fns %t/gnupg/S.gpg-agent.ssh %t/keyring/ssh
I'm sure this is full of race conditions, but it works in practice...
S
More information about the pkg-gnupg-maint
mailing list