You are not logged in.

Pages: 1

#1 2024-03-08 13:43:03

CyberShadow
Member
Registered: 2016-03-03
Posts: 9
Website

$SSH_AUTH_SOCK is suddenly /run/user/1000/gcr/ssh, breaking ssh-agent

After updating, I stopped being able to use SSH:

$ ssh home.me
sign_and_send_pubkey: signing failed for ED25519 "/home/me/.ssh/id_ed25519" from agent: agent refused operation
me@home.me: Permission denied (publickey).

The problem seems to be that SSH_AUTH_SOCK is set to something weird:

echo $SSH_AUTH_SOCK              
/run/user/1000/gcr/ssh

I don't know what gcr is. I never installed it explicitly (but I see it's a hard dependency of other packages).

Looking at its units, it has:

/usr/lib/systemd/user/gcr-ssh-agent.socket:ExecStartPost=-/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gcr/ssh

And gcr-ssh-agent.socket is enabled by default:

● gcr-ssh-agent.service - GCR ssh-agent wrapper
     Loaded: loaded (/usr/lib/systemd/user/gcr-ssh-agent.service; disabled; preset: enabled)
● gcr-ssh-agent.socket - GCR ssh-agent wrapper
     Loaded: loaded (/usr/lib/systemd/user/gcr-ssh-agent.socket; enabled; preset: enabled)

I don't think Arch packages should enable things that break stuff by default.

Last edited by CyberShadow (2024-03-08 13:44:06)

Offline

#2 2024-03-08 14:22:49

seth
Member
Registered: 2012-09-03
Posts: 52,199

Re: $SSH_AUTH_SOCK is suddenly /run/user/1000/gcr/ssh, breaking ssh-agent

Yes "should" …

https://wiki.archlinux.org/title/GNOME/ … #Setup_gcr but that's not your poblem: https://wiki.archlinux.org/title/SSH_ke … _operation

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#3 2024-03-08 14:26:30

CyberShadow
Member
Registered: 2016-03-03
Posts: 9
Website

Re: $SSH_AUTH_SOCK is suddenly /run/user/1000/gcr/ssh, breaking ssh-agent

Yes, I disabled injecting DISPLAY into systemd unit environments. I run multiple display servers, so I don't want systemd units talking to some arbitrary one.

However, that misses the point: I don't want to use gcr as the SSH key agent at all. I want to use ssh-agent, which is what seems to be used when SSH_AUTH_SOCK is unset, and which works fine otherwise.

To illustrate:

$ ssh home.me
sign_and_send_pubkey: signing failed for ED25519 "/home/me/.ssh/id_ed25519" from a
me@home.me: Permission denied (publickey).

$ unset SSH_AUTH_SOCK                     

$ ssh home.me
Enter passphrase for key '/home/me/.ssh/id_ed25519': 
You have new mail.
Last login: Fri Mar  8 08:26:32 2024

$

Last edited by CyberShadow (2024-03-08 14:30:16)

Offline

#4 2024-03-08 14:34:02

seth
Member
Registered: 2012-09-03
Posts: 52,199

Re: $SSH_AUTH_SOCK is suddenly /run/user/1000/gcr/ssh, breaking ssh-agent

The agent issue is independent of gcr or whatever agent you use.

The preset value there is completey irrelevant unless you ever ran systemctl preset-all (what is not a good idea!)
https://bbs.archlinux.org/viewtopic.php?id=293001

How exactly do you start ssh-agent?
https://wiki.archlinux.org/title/SSH_keys#ssh-agent

If  SSH_AUTH_SOCK is unset, ssh-agent won't work either.

The only question is what sets the SSH_AUTH_SOCK and the most likely answer is gnome-keyring?

Edit: w/o that variable you're just not using any agent.

Last edited by seth (2024-03-08 14:34:38)

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#5 2024-03-08 14:40:54

CyberShadow
Member
Registered: 2016-03-03
Posts: 9
Website

Re: $SSH_AUTH_SOCK is suddenly /run/user/1000/gcr/ssh, breaking ssh-agent

seth wrote:

The preset value there is completey irrelevant unless you ever ran systemctl preset-all (what is not a good idea!)
https://bbs.archlinux.org/viewtopic.php?id=293001

I see, thank you for the correction.

If  SSH_AUTH_SOCK is unset, ssh-agent won't work either.

The only question is what sets the SSH_AUTH_SOCK and the most likely answer is gnome-keyring?

Edit: w/o that variable you're just not using any agent.

You're right! I got confused by also having ControlMaster enabled.

I found why it broke for me: I had 

if [[ ! -v SSH_AUTH_SOCK && -v XDG_RUNTIME_DIR && -e "$XDG_RUNTIME_DIR"/ssh-agent.socket ]]

as the condition for setting SSH_AUTH_SOCK to the ssh-agent one. The condition fails now that SSH_AUTH_SOCK is being set by gcr.

Thank you for your help! So that just leaves the question, what is causing the gcr units to start?

Last edited by CyberShadow (2024-03-08 14:42:21)

Offline

#6 2024-03-08 15:16:30

seth
Member
Registered: 2012-09-03
Posts: 52,199

Re: $SSH_AUTH_SOCK is suddenly /run/user/1000/gcr/ssh, breaking ssh-agent

The "problem" is that the socket is enabled and it apprently gets triggered by "something" - seems a new thing w/ https://archlinux.org/packages/extra/x86_64/gcr-4/
=> 

systemctl --user mask gcr-ssh-agent.socket

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

Pages: 1

Board footer

Powered by FluxBB