Recent ssh-agent problems?

I’ve recently expected several ssh-agent problems on my laptop using a mix of Debian testing and unstable.

  • When I use offlineimap to fetch my mail, opening several (up to 5) SSH connections concurrently, sometimes one of the connection asks for a password. When I try again, it just works.
  • Sometimes, the ssh-agent process starts refusing connections, so I’m always asked for the passphrase. The only way to fix that is to restart the ssh-agent, by restarting my GNOME session.

Has someone else experienced those problems? It looks like a fairly recent regression.

6 thoughts on “Recent ssh-agent problems?

  1. You seem to be confusing “ssh-agent” with “gnome-keyring”

    The former is a proper implementation of ssh-agent that does everything the protocol requires, and works well.

    The latter is a cheap knockoff of ssh-agent implemented by the GNOME people. It does not implement half of the features of ssh-agent (for instance, it does not support ssh-add’s -c or -t options), breaks on keys that have passwords in them, and is a generally shoddy implementation of ssh-agent. To make matters worse, the gconf key that is supposed to disable the ssh-agent component of gnome-keyring has no effect in its most recent versions.

  2. Indeed.
    SSH_AGENT_PID=12469 <– that’s my ssh-add process
    SSH_AUTH_SOCK=/tmp/keyring-PzAalo/socket.ssh <– that’s owned by gnome-keyring.

    Tsss, GNOME….

  3. Until recently, the ssh agent part of gnome keyring actually invoked a real ssh-agent and used that to do things. The result was architecturally suspect, but worked. They have “fixed” the architecture by implementing ssh agent functionality in gnome-keyring proper, but of course, they’ve only done a half-job and so you have these user-behaviour regressions. My particular bugbear is http://bugs.debian.org/524018 , which I reported upstream as http://bugzilla.gnome.org/show_bug.cgi?id=576700 and has been thus far totally ignored by the maintainers.

    This seems to be a common pattern with upstream GNOME at the moment. GNOME 2.26 uses a new IO backend instead of libgnome-vfs (GIO/GVFS). The new backend is architecturally “cleaner”, apparently, so the GNOME hackers have a warm fuzzy feeling about this. However, just about every GVFS backend has some bug in it that prevents it from working, so I can no longer access CIFS or WebDAV shares that worked fine with the older backend. Yesterday’s GNOME bugs to be ignored were 586248, 586129 and a wishlist 586247.

  4. Disabling the SSH agent in gnome-keyring worked for me:
    gconftool-2 –set -t bool /apps/gnome-keyring/daemon-components/ssh false

    (you need to logout/login)

Comments are closed.