[Bug 899647] New: xdm starts both ssh-agent and gpg-agent, disabling smartcard-based ssh logins

newer
[Bug 899616] Reboot fails at LVM2...

older
[Bug 880417] New: umount does not...

bugzilla_noreply＠novell.com

3 Oct 2014 3 Oct '14

09:37

http://bugzilla.opensuse.org/show_bug.cgi?id=899647 Bug ID: 899647 Summary: xdm starts both ssh-agent and gpg-agent, disabling smartcard-based ssh logins Classification: openSUSE Product: openSUSE 13.1 Version: Final Hardware: 64bit OS: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: X.Org Assignee: bnc-team-xorg-bugs@forge.provo.novell.com Reporter: myemailu@gmail.com QA Contact: xorg-maintainer-bugs@forge.provo.novell.com Found By: --- Blocker: --- Smartcard-based (OpenPGP-card) based ssh-logins require a running gpg-agent. When both usessh=yes and usegpg=yes are set in /etc/X11/xdm/sys.xsession both agents (ssh-agent and gpg-agent) are started and compete with each other, thereby disabling the smartcard-based login. Suggested fix: when usegpg is set to "yes", the logic shouls be: - try to start gpg-agent - if gpg-agent is running, ignore usessh, finish - if usessh is set then try to start ssh-agent - finish -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.htm (text/html — 2.7 KB)

Show replies by date

bugzilla_noreply＠novell.com

6 Oct 6 Oct

09:28

New subject: [Bug 899647] xdm starts both ssh-agent and gpg-agent, disabling smartcard-based ssh logins

bugzilla_noreply＠novell.com

21:39

New subject: [Bug 899647] xdm starts both ssh-agent and gpg-agent, disabling smartcard-based ssh logins

http://bugzilla.opensuse.org/show_bug.cgi?id=899647 Markus Sauler changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(myemailu@gmail.co | |m) | --- Comment #5 from Markus Sauler --- Using the provided sys.xsession, X does not start anymore, This is the corresponding part of the journal: Okt 06 23:31:13 linux-5xxm kdm[7431]: :0[7431]: pam_unix(xdm:session): session opened for user mars by (uid=0) Okt 06 23:31:13 linux-5xxm systemd[1]: Starting Session 34 of user mars. Okt 06 23:31:13 linux-5xxm systemd-logind[697]: New session 34 of user mars. Okt 06 23:31:13 linux-5xxm systemd[1]: Started Session 34 of user mars. Okt 06 23:31:13 linux-5xxm org.a11y.Bus[7515]: Activating service name='org.a11y.atspi.Registry' Okt 06 23:31:13 linux-5xxm org.a11y.Bus[7515]: Successfully activated service 'org.a11y.atspi.Registry' Okt 06 23:31:13 linux-5xxm org.a11y.atspi.Registry[7574]: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry Okt 06 23:31:13 linux-5xxm org.a11y.atspi.Registry[7574]: Xlib: extension "XEVIE" missing on display ":0". Okt 06 23:31:13 linux-5xxm org.a11y.atspi.Registry[7574]: ** (at-spi2-registryd:7580): WARNING **: Failed to register client: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files Okt 06 23:31:13 linux-5xxm org.a11y.atspi.Registry[7574]: ** (at-spi2-registryd:7580): WARNING **: Unable to register client with session manager Okt 06 23:31:13 linux-5xxm checkproc[7587]: checkproc: can not get session id for process 5620! Okt 06 23:31:13 linux-5xxm checkproc[7588]: checkproc: can not get session id for process 5620! Okt 06 23:31:13 linux-5xxm kdm[7431]: :0[7431]: pam_unix(xdm:session): session closed for user mars Okt 06 23:31:13 linux-5xxm org.a11y.atspi.Registry[7574]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":0" Okt 06 23:31:13 linux-5xxm org.a11y.atspi.Registry[7574]: after 21 requests (19 known processed) with 0 events remaining. Okt 06 23:31:13 linux-5xxm org.a11y.Bus[7515]: g_dbus_connection_real_closed: Remote peer vanished with error: Underlying GIOStream returned 0 bytes on an async read (g-io-error-quark, 0). Exiting. Okt 06 23:31:13 linux-5xxm org.gtk.vfs.Daemon[7515]: A connection to the bus can't be made Okt 06 23:31:13 linux-5xxm org.gtk.vfs.Daemon[7515]: g_dbus_connection_real_closed: Remote peer vanished with error: Underlying GIOStream returned 0 bytes on an async read (g-io-error-quark, 0). Exiting. Okt 06 23:31:13 linux-5xxm kdm[3580]: plymouth should quit after server startup Okt 06 23:31:14 linux-5xxm kdm[3580]: Quitting Plymouth with transition Okt 06 23:31:14 linux-5xxm kdm[3580]: Is Plymouth still running? no Okt 06 23:31:14 linux-5xxm kdm_greet[7617]: Cannot load /usr/share/kde4/apps/kdm/faces/.default.face: Datei oder Verzeichnis nicht gefunden Okt 06 23:31:16 linux-5xxm systemd-logind[697]: Removed session 34. Okt 06 23:32:28 linux-5xxm kernel: usb 3-2: USB disconnect, device number 3 -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

21:54

New subject: [Bug 899647] xdm starts both ssh-agent and gpg-agent, disabling smartcard-based ssh logins

http://bugzilla.opensuse.org/show_bug.cgi?id=899647 --- Comment #6 from Markus Sauler --- (In reply to Werner Fink from comment #4)

...

Created attachment 609016 [details] /etc/X11/xdm/sys.xsession

The new one ... it also introduce a better name space for the agent info file as testing on several systems with some virtual systems included the agent info file should be named in a unique way.

Yes, this fixes the bug. I'm not sure whether your comment about gpg-agent in the script is still valid. My setup: I have two account on a remote system, user1@remote and user2@remote user1 is configured to log-on via a openpgp smartcard, user2 is configured to accept "normal" public-key-ssh login. with only gpg-agent running, I can a) log in as user 1: ssh user1@login, the system will ask me for my openpgp-card-pin b) log in as user 2: ssh user2@remote, the system will ask for the password of my ssh key c) copy files via scp to user1 or user2 without ever having to issue gpg-connect-agent /bye -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

7 Oct 7 Oct

16:19

New subject: [Bug 899647] xdm starts both ssh-agent and gpg-agent, disabling smartcard-based ssh logins

http://bugzilla.opensuse.org/show_bug.cgi?id=899647 --- Comment #7 from Markus Sauler --- I'd like to add two miore suggestions: a) the configuration via the .myagents file seems looks fragile. I've the impression that openSUSE does not suffer from a lack of configuration options, adding one additional configuration file might not be the best option. Instead, I propose to read the .gnupg/gpg-agent.conf and check for the line "enable-ssh-support". If this line is present, we know the the user has configured gpg-agent and we can safely start gpg-agent instead of ssh-agent. If this line is not present, the user obviously did not want to use gpg-agent for ssh, so we start ssh-agent b) The gpg-agent manpage says (under "enable-ssh-support"): ...Thus if no GnuPG tool which accesses the agent has been run, there is no guarantee that ssh is abale to use gpg-agent for authentication. To fix this you may start gpg-agent if needed using this simple command: gpg-connect-agent /bye This seems to imply that issuing this command right fropm sys.xsession should fix all potential ssh-problems -- You are receiving this mail because: You are on the CC list for the bug.

3499

Age (days ago)

3503

Last active (days ago)

List overview

Download

4 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com