[pkg-gnupg-maint] Bug#1101471: starting of agent for system accounts is inacceptable
Andreas Metzler
ametzler at bebt.de
Mon Mar 31 16:44:44 BST 2025
On 2025-03-28 Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> On Fri, Mar 28, 2025 at 07:22:22PM +0100, Andreas Metzler wrote:
>> On 2025-03-28 Marc Haber <mh+debian-packages at zugschlus.de> wrote:
>>> from the README:
>>> |Since 2.1.17, users on machines with systemd will have their gpg-agent
>>> |process launched automatically by systemd's user session, upon first
>>> |access of any of the expected gpg-agent sockets (including the ssh
>>> |socket). systemd will also cleanly tear this process down at session
>>> |logout.
>>> I find that inacceptable at least for system accounts. The suggested
>>> remedy is to manually mask four systemd units inside every single
>>> account.
>> [...]
>> I am a little bit too slow right now to wade through systemd's
>> documentation but afaiui systemd's user sessions happen on login, which
>> usually is disabled for system accounts.
> It, for example, happens for the account that my ansible is running against.
Hello,
just to clarify: we are not starting gpg-agent automatically on login. We
are shipping systemd user session units to lauch gpg-agent under
systemd's monitoring when gpg *needs* an agent. The other way to do this
is to let gpg itself start a gpg-agent as a long running daemon the first
time it needs it.
If your ansible service ends up starting gpg-agent it is probably
invoking gpg in way that needs gpg-agent. gpg-agent is not an optional
component of the gnupg toolsuite. Why do you find it inacceptable to run
gpg-agent under systemd control in your usage scenario?
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20250331/fd6d8635/attachment.sig>
More information about the pkg-gnupg-maint
mailing list