Bug#947599: gnome-keyring: Launches ssh-agent without $DISPLAY, breaking agent sign confirmation

Wilmer van der Gaast wilmer at gaast.net
Sat Dec 28 11:22:40 GMT 2019 

Package: gnome-keyring
Version: 3.28.2-5
Severity: normal

There are two existing bugs about "ssh-add -c" sign confirmation, #475502 and
#493874, presumably dupes and actually fixed since the breakage I'm seeing now
is at a later stage:

ssh-add -c adds a key successfully now, no warnings and no unconfirmed
signatures anymore, but sadly no signatures at all in fact, instead I'm getting
"agent refused operation" errors:

sign_and_send_pubkey: signing failed: agent refused operation

I noticed that ssh-agent is running without the $DISPLAY variable set which
makes asking for confirmation pretty difficult of course. I think this happens
because gnome-keyring is started early on by the PAM module? The PAM module
code does seem to have code for propagating $DISPLAY here:
https://github.com/GNOME/gnome-keyring/blob/mainline/pam/gkr-pam-module.c#L406

But I guess the PAM module isn't even receiving the variable? I've tried
playing with /etc/security/pam_env but overriding to a fixed value isn't very
useful when the $DISPLAY value is unpredictable.

README.Debian suggests that I could uninstall libpam-gnome-keyring to have
gnome-keyring start at a later stage (but without auto-unlocked keyring file)
which could maybe fix this issue, but dependencies didn't let me try that out,
plus having to type my password twice to get to my keyring wouldn't be nice
either. :-(

This is where my understanding of PAM ends sadly. :-( Is this environment
variable filtering working too hard? Is there a way to have libpam-gnome-
keyring pass this through again?

I believe this is a fairly plain Debian Stable install. I've done a quick diff
between the current gnome-keyring from sid and there are no relevant looking
changes to the PAM module.



-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnome-keyring depends on:
ii  dbus-user-session [default-dbus-session-bus]  1.12.16-1
ii  dbus-x11 [dbus-session-bus]                   1.12.16-1
ii  dconf-gsettings-backend [gsettings-backend]   0.30.1-2
ii  gcr                                           3.28.1-1
ii  libc6                                         2.28-10
ii  libcap-ng0                                    0.7.9-2
ii  libcap2-bin                                   1:2.25-2
ii  libgck-1-0                                    3.28.1-1
ii  libgcr-base-3-1                               3.28.1-1
ii  libgcrypt20                                   1.8.4-5
ii  libglib2.0-0                                  2.58.3-2+deb10u2
ii  p11-kit                                       0.23.15-2
ii  pinentry-gnome3                               1.1.0-2
ii  gdm3           3.30.2-3     amd64        GNOME Display Manager

Versions of packages gnome-keyring recommends:
ii  gnome-keyring-pkcs11  3.28.2-5
ii  libpam-gnome-keyring  3.28.2-5

gnome-keyring suggests no packages.

More information about the pkg-gnome-maintainers mailing list