I’ve recently expected several ssh-agent problems on my laptop using a mix of Debian testing and unstable.
- When I use offlineimap to fetch my mail, opening several (up to 5) SSH connections concurrently, sometimes one of the connection asks for a password. When I try again, it just works.
- Sometimes, the ssh-agent process starts refusing connections, so I’m always asked for the passphrase. The only way to fix that is to restart the ssh-agent, by restarting my GNOME session.
Has someone else experienced those problems? It looks like a fairly recent regression.
You seem to be confusing “ssh-agent” with “gnome-keyring”
The former is a proper implementation of ssh-agent that does everything the protocol requires, and works well.
The latter is a cheap knockoff of ssh-agent implemented by the GNOME people. It does not implement half of the features of ssh-agent (for instance, it does not support ssh-add’s -c or -t options), breaks on keys that have passwords in them, and is a generally shoddy implementation of ssh-agent. To make matters worse, the gconf key that is supposed to disable the ssh-agent component of gnome-keyring has no effect in its most recent versions.
Indeed.
SSH_AGENT_PID=12469 <– that’s my ssh-add process
SSH_AUTH_SOCK=/tmp/keyring-PzAalo/socket.ssh <– that’s owned by gnome-keyring.
Tsss, GNOME….
You might be interested in weighing in on #516230 and #493874. My own response is to remove gnome-keyring entirely. But on systems that can’t afford to do that, you might prefer to just remove libpam-gnome-keyring so that the busted utility doesn’t get spawned before your X session even starts. :(
Until recently, the ssh agent part of gnome keyring actually invoked a real ssh-agent and used that to do things. The result was architecturally suspect, but worked. They have “fixed” the architecture by implementing ssh agent functionality in gnome-keyring proper, but of course, they’ve only done a half-job and so you have these user-behaviour regressions. My particular bugbear is http://bugs.debian.org/524018 , which I reported upstream as http://bugzilla.gnome.org/show_bug.cgi?id=576700 and has been thus far totally ignored by the maintainers.
This seems to be a common pattern with upstream GNOME at the moment. GNOME 2.26 uses a new IO backend instead of libgnome-vfs (GIO/GVFS). The new backend is architecturally “cleaner”, apparently, so the GNOME hackers have a warm fuzzy feeling about this. However, just about every GVFS backend has some bug in it that prevents it from working, so I can no longer access CIFS or WebDAV shares that worked fine with the older backend. Yesterday’s GNOME bugs to be ignored were 586248, 586129 and a wishlist 586247.
Disabling the SSH agent in gnome-keyring worked for me:
gconftool-2 –set -t bool /apps/gnome-keyring/daemon-components/ssh false
(you need to logout/login)
wouter: there’s a bug opened to track the implementation of constraints: http://bugzilla.gnome.org/show_bug.cgi?id=525574. Do you have more details on your other issues?
Lucas: filed http://bugzilla.gnome.org/show_bug.cgi?id=586480 for the SSH_AGENT_PID issue.