Created attachment 2729 Proposed fix /etc/xdg/xfce4/xinitrc starts ssh-agent automatically on xfce startup, even if gnome-keyring is already running as a SSH agent (started by PAM). This way, ssh-agent replaces SSH_AUTH_SOCK set by gkr which is unintended. As a solution, I suggest to add a check for SSH_AUTH_SOCK along with SSH_AGENT_PID (which isn't set by gkr).
Hmm, the problem is that there isn't a good way to check that the auth sock is actually valid and isn't a stale env var left over from something else. The xinitrc script in master tries a "kill -0 $SSH_AGENT_PID" to see if the agent is actually running. If we don't know the PID, and only have the socket, there's no way to tell if it's good or not. (Of course, the 4.6 script doesn't even check that much, but in theory it should.) I'm not really comfortable with this patch, but I don't have a better idea to fix it on our end. Ideally, gkr should set SSH_AGENT_PID as well, and that would fix the problem, but they may have a good reason to avoid setting it.
(In reply to comment #1) > Hmm, the problem is that there isn't a good way to check that the auth sock is > actually valid and isn't a stale env var left over from something else. Why is ssh-agent called from there in the first place? Shouldn't it be another service in /etc/xdg/autostart?
(In reply to comment #2) > (In reply to comment #1) > > Hmm, the problem is that there isn't a good way to check that the auth sock is > > actually valid and isn't a stale env var left over from something else. > > Why is ssh-agent called from there in the first place? Shouldn't it be another > service in /etc/xdg/autostart? autostart is too late in the startup process. It has to be a parent of xfce4-session so every child inherits the SSH_AUTH_SOCK and SSH_AGEN_PID envvar.
(In reply to comment #3) > (In reply to comment #2) > > (In reply to comment #1) > > > Hmm, the problem is that there isn't a good way to check that the auth sock is > > > actually valid and isn't a stale env var left over from something else. > > > > Why is ssh-agent called from there in the first place? Shouldn't it be another > > service in /etc/xdg/autostart? > > autostart is too late in the startup process. It has to be a parent of > xfce4-session so every child inherits the SSH_AUTH_SOCK and SSH_AGEN_PID > envvar. Nope, GNOME starts the keyring through autostart, but of course you would have to register Xfce as a session manager in dbus, and listen for when environment variables are requested to be updated. http://live.gnome.org/SessionManagement/GnomeSession The only other sane option is to make it a configuration directly in the preferences, so that the user can choose between gnome compat's keyring, or ssh-agent.
(In reply to comment #4) > (In reply to comment #3) > > (In reply to comment #2) > > > (In reply to comment #1) > > > > Hmm, the problem is that there isn't a good way to check that the auth sock is > > > > actually valid and isn't a stale env var left over from something else. > > > > > > Why is ssh-agent called from there in the first place? Shouldn't it be another > > > service in /etc/xdg/autostart? > > > > autostart is too late in the startup process. It has to be a parent of > > xfce4-session so every child inherits the SSH_AUTH_SOCK and SSH_AGEN_PID > > envvar. > > Nope, GNOME starts the keyring through autostart, but of course you would have > to register Xfce as a session manager in dbus, and listen for when environment > variables are requested to be updated. > > http://live.gnome.org/SessionManagement/GnomeSession Yes, as you know xfce4-session doesn't support this. So my point still stands, autostart is too late in the process. > > The only other sane option is to make it a configuration directly in the > preferences, so that the user can choose between gnome compat's keyring, or > ssh-agent. That's already the case. If you select “Start gnome services at startup”, then gnome-keyring is run. In 4.6 it uses the old api though, so I doesn't work correctly. But there are patches to make it start correctly and replace ssh-agent. See http://bugzilla.xfce.org/show_bug.cgi?id=5912
(In reply to comment #5) > (In reply to comment #4) > > (In reply to comment #3) > > > (In reply to comment #2) > > > > (In reply to comment #1) > > > > > Hmm, the problem is that there isn't a good way to check that the auth sock is > > > > > actually valid and isn't a stale env var left over from something else. > > > > > > > > Why is ssh-agent called from there in the first place? Shouldn't it be another > > > > service in /etc/xdg/autostart? > > > > > > autostart is too late in the startup process. It has to be a parent of > > > xfce4-session so every child inherits the SSH_AUTH_SOCK and SSH_AGEN_PID > > > envvar. > > > > Nope, GNOME starts the keyring through autostart, but of course you would have > > to register Xfce as a session manager in dbus, and listen for when environment > > variables are requested to be updated. > > > > http://live.gnome.org/SessionManagement/GnomeSession > > Yes, as you know xfce4-session doesn't support this. So my point still stands, > autostart is too late in the process. I know what is the status-quo; my point is that it *should* be done with autostart. This would be the most extensible way, and would help autostart scripts that require this. > > The only other sane option is to make it a configuration directly in the > > preferences, so that the user can choose between gnome compat's keyring, or > > ssh-agent. > > That's already the case. If you select “Start gnome services at startup”, then > gnome-keyring is run. In 4.6 it uses the old api though, so I doesn't work > correctly. But there are patches to make it start correctly and replace > ssh-agent. > > See http://bugzilla.xfce.org/show_bug.cgi?id=5912 Yes, I am also aware of that. But I still think starting ssh-auth in /etc/xdg/xfce4/xinitrc is wrong, it should be left to other layers to do that; either gdm (like it happens on Fedora), /etc/xdg/autostart/ssh-agent.desktop which would need dbus session support, or in xfce4-session itself just like gnome-keyring is run right now (as an option). Alternatively, /etc/xdg/xfce4/xinitrc could read a configuration file somewhere that specifies whether or not ssh-aent should be run.
(In reply to comment #6) > I know what is the status-quo; my point is that it *should* be done with > autostart. This would be the most extensible way, and would help autostart > scripts that require this. Then you might want to open another enhancement bug on xfce4-session asking about the gnome-session dbus protocol. Which doesn't seem to be a FD.o standard, so it be a prerequisite anyway. And don't hold your breathe, Bryan isn't really working on xfce4-session nowadays. > > > > The only other sane option is to make it a configuration directly in the > > > preferences, so that the user can choose between gnome compat's keyring, or > > > ssh-agent. > > > > That's already the case. If you select “Start gnome services at startup”, then > > gnome-keyring is run. In 4.6 it uses the old api though, so I doesn't work > > correctly. But there are patches to make it start correctly and replace > > ssh-agent. > > > > See http://bugzilla.xfce.org/show_bug.cgi?id=5912 > > Yes, I am also aware of that. But I still think starting ssh-auth in > /etc/xdg/xfce4/xinitrc is wrong, it should be left to other layers to do that; For what it's worth, I agree :) > either gdm (like it happens on Fedora), /etc/xdg/autostart/ssh-agent.desktop > which would need dbus session support, or in xfce4-session itself just like > gnome-keyring is run right now (as an option). Imho it's ssh-agent itself which needs to take care of that. In Debian it's already working thanks to the (non standard) Xsession.d stuff. I'm not too sure why it's not upstream and what's the position with xinitrc.d stuff, though. And as stated on the other bug report, I don't think starting each and everything out there is the role of Xfce4 (wether by xfce4-utils xinitrc or by xfce4-session). Tools should take care of that themselves, but as said above, it requires a common ground. Autostart already works for stuff needed *after* session start, we might need a common stuff for stuff needed *before*. > > Alternatively, /etc/xdg/xfce4/xinitrc could read a configuration file somewhere > that specifies whether or not ssh-aent should be run. In 4.7 xinitrc reads an xfconf key (which is not set by any GUI, you have to set it manually).
Fixed in git master, this was caused by incorrect gnome-keyring-daemon initialization.