-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh-agent: eval hangs without --deterministic-shutdown
#5751
Comments
This sounds like it reports the pid inside firejail and not the pid of the initial pid-namespace. |
This works because it kills the ssh-agent daemon process I guess. |
Good observation. I'll do more testing and compare what SSH_AGENT_PID and SSH_AUTH_SOCK contain with/without firejail. |
UPDATE Even when the 'hanging issue' can be fixed via I'm closing #5752 and #5753 as both PR's have lost their relevancy in this context IMO. FWIW we don't need to do anything for |
Does this affect only the Wouldn't both sides having access to the socket be enough regardless of any If the only problem is the PID namespace, wouldn't it be enough to use This might even be a good way to have multiple ssh-agent instances running with Examples of theoretically isolated groups (using
Good to know.
Yes; that was done for nvm.profile. If ssh-agent.profile is to be dropped, I |
It's the general case that's broken: $ eval "$(firejail --deterministic-shutdown /usr/bin/ssh-agent -s)"
Agent pid 11
$ echo $SSH_AUTH_SOCK
/tmp/ssh-XXXXXXaUfxD4/agent.10
$ echo $SSH_AGENT_PID
11
$ ssh-add -l
Error connecting to agent: No such file or directory This works: $ firejail --noblacklist=/tmp/.X11-unix /usr/bin/ssh-agent xterm
[glitsj16@lab Downloads]$ ssh-add -l
The agent has no identities. Although I can understand your reasoning, how could one Luckily there are several other SSH agents that do work when firejailed. |
Ah I see what the problem is now.
There is nothing running as $ eval "$(firejail --deterministic-shutdown /usr/bin/ssh-agent -s)"
Agent pid 5
$ firejail --tree | grep ssh-agent
$
$ ls "$SSH_AUTH_SOCK"
ls: cannot access '/tmp/ssh-XXXXXXYk2ZGD/agent.4': No such file or directory As for hanging when trying to daemonize, it seems to be due to the following As a workaround, it looks like it's possible to have the shell put $ firejail /usr/bin/ssh-agent -s >output &
$ . output
Agent pid 4
$ ssh-add -l
The agent has no identities. It seems to work regardless of Note also that ssh-agent can also be told not to daemonize: From ssh-agent(1):
Which also works: $ firejail /usr/bin/ssh-agent -s -D >output &
$ . output
Agent pid 4
$ ssh-add -l
The agent has no identities. Not sure whether it would be better to use
Good to know. |
@kmk3 Thanks for researching and the workarounds. After further experimentation I settled on a ssh-agent systemd user service hardened via firejail. For me that's the most convenient way, as I had some trouble to implement your workarounds via shell scripting. In both cases I had to run the Until there's a fix for #3491 it seems there's nothing much to do here for the ssh-agent profile. |
No problem.
Here's an attempt (it's not very pretty, but it works): myssh-agent (simplified version): #!/bin/sh
# Put it in a restricted directory since it's intended for eval
output="$HOME/.config/firejail/ssh-agent-$$.tmp"
firejail /usr/bin/ssh-agent -s "$@" >"$output" &
sleep 1
cat "$output"
rm -f "$output" myssh-agent (with error handling): #!/bin/sh
# Put it in a restricted directory since it's intended for eval
dir="$HOME/.config/firejail"
mkdir -p "$dir"
output="$dir/ssh-agent-$$.tmp"
firejail /usr/bin/ssh-agent -s "$@" >"$output" &
sleep 1
cat "$output"
# Just in case it fails to write in time
error=0
if ! grep -q 'export SSH_AGENT_PID' "$output"; then
printf 'error: incomplete output\n' >&2
error=1
fi
rm -f "$output"
exit "$error" Run it as: eval "$(myssh-agent)" |
Thanks for the shell scripts. Very nice! |
I've had
deterministic-shutdown
in myssh-agent.local
ever since the option was introduced. Never realised until accidentally bumping into this today that the current ssh-agent.profile is likely broken for most users.The bad...
The good...
The text was updated successfully, but these errors were encountered: