Bug 1088564 - "ssh-agent" is not started on login to Plasma5-Wayland
"ssh-agent" is not started on login to Plasma5-Wayland
Status: NEW
: 1182869 (view as bug list)
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: KDE Workspace (Plasma)
Leap 15.4
x86-64 SUSE Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: E-Mail List
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-08 01:08 UTC by Neil Rickert
Modified: 2022-07-26 12:32 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Neil Rickert 2018-04-08 01:08:03 UTC
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build Identifier: 

This happens in both Leap 15.0 and Tumbleweed.

When I login to a Plasma5-Wayland session, "ssh-agent" is not running for the desktop session.  This happens whether I use SDDM or GDM for the login manager.

I'm aware that Plasma5-Wayland isn't really ready for prime time.  Still, it would be nice to have this fixed by the time Leap 15.0 is officially released.

My current workaround -- I'm starting "ssh-agent" in the shell startup file (with cross checks so that it isn't started if already running).

Reproducible: Always
Comment 1 Fabian Vogt 2018-04-18 17:36:39 UTC
ssh-agent is never started by itself - how did you configure autostart?
Comment 2 Wolfgang Bauer 2018-04-18 17:46:45 UTC
(In reply to Fabian Vogt from comment #1)
> ssh-agent is never started by itself

It is started by /etc/X11/xdm/sys.xsession if a gpg config is found in the user's home.

Btw, I think there is another bug report already that this doesn't work on Wayland, but I'm not sure.
Comment 3 Fabian Vogt 2018-04-18 17:49:25 UTC
(In reply to Wolfgang Bauer from comment #2)
> (In reply to Fabian Vogt from comment #1)
> > ssh-agent is never started by itself
> 
> It is started by /etc/X11/xdm/sys.xsession if a gpg config is found in the
> user's home.
> 
> Btw, I think there is another bug report already that this doesn't work on
> Wayland, but I'm not sure.

If that's the only place, it's by design. No files in /etc/X11/ are ever read in a wayland session.

The correct place is in /etc/xdg/autostart/, it also has the benefit of it being visible in the autostart KCM.
Comment 4 Wolfgang Bauer 2018-04-18 17:58:00 UTC
(In reply to Fabian Vogt from comment #3)
> If that's the only place, it's by design. No files in /etc/X11/ are ever read
> in a wayland session.

AFAICT, it is the only place.
And that explains why this has been reported as bug at all I suppose.

> The correct place is in /etc/xdg/autostart/, it also has the benefit of it
> being visible in the autostart KCM.

With gpg 2.1 or higher, gpg-agent should actually be autostarted on demand though AFAIK.

See also bug#1050438.
Comment 5 Neil Rickert 2018-04-18 20:47:00 UTC
I'm not quite sure what you are asking.

ssh-agent has always been started for KDE and other desktops.

When Gnome first became available on Wayland, that had the same problem.  It is now corrected, but I think that uses seahorse.

The KaOS distro does start ssh-agent on Wayland session startup (perhaps only if ".ssh" exists in home directory.

I can manage either way, but some consistency would be useful.

I'm currently starting from my shell startup script.  That's ".login" since I am a csh user.  In effect, the startup script checks whether $SSH_AUTH_SOCK is defined in the environment. If not defined, it uses:
 eval `ssh-agent -c`
to start ssh-agent.

This depends on the session startup running the shell startup script.  Starting as a normal autostart application probably would not work, because that would not set the environment for the entire session.
Comment 6 Fabian Vogt 2018-04-19 06:55:38 UTC
(In reply to Neil Rickert from comment #5)
> I'm not quite sure what you are asking.
> 
> ssh-agent has always been started for KDE and other desktops.
> 
> When Gnome first became available on Wayland, that had the same problem.  It
> is now corrected, but I think that uses seahorse.
> 
> The KaOS distro does start ssh-agent on Wayland session startup (perhaps
> only if ".ssh" exists in home directory.
> 
> I can manage either way, but some consistency would be useful.

The only way I'd be happy with is an actual upstream way the same on every distro and DE. Implementing everything downstream is just a waste of time.
Can you create an upstream bug on bugs.kde.org?

> I'm currently starting from my shell startup script.  That's ".login" since
> I am a csh user.  In effect, the startup script checks whether
> $SSH_AUTH_SOCK is defined in the environment. If not defined, it uses:
>  eval `ssh-agent -c`
> to start ssh-agent.
>
> This depends on the session startup running the shell startup script. 
> Starting as a normal autostart application probably would not work, because
> that would not set the environment for the entire session.

Indeed. You'd need to put it into ~/.config/plasma-workspace/env/.
Comment 7 Neil Rickert 2018-04-19 23:28:07 UTC
It seems that the recommended KDE way of doing this is with a suitable script in
 $HOME/.config/plasma-workspace/env

I've tested that with something like:

#### ksshagt.sh ###
if [ -z "$SSH_AUTH_SOCK" ] ; then
        eval `ssh-agent -s`
fi
####

The "if" test is needed, in case the KDE login is with X11, where there is already ssh-agent being started and we won't want to start a second one.  And it is recommended that a shutdown script also be used to terminate ssh-agent on logout.

This seems to be working fine, and is probably better than using the standard shell startup script.
Comment 8 Mathias Homann 2019-02-13 09:19:24 UTC
i think somewhere along this report you guys started to get ssh-agent and gpg-agent mixed up...

anyway, i can confirm the same problem, plus according to google the folks over at redhat are having the same issue with gnome.

also, the workaround from #7 helps for ssh-agent; gpg-agent seems to behave properly already on wayland.
Comment 9 Maximilian Trummer 2021-04-28 15:18:04 UTC
*** Bug 1182869 has been marked as a duplicate of this bug. ***
Comment 10 Maximilian Trummer 2021-04-28 15:19:43 UTC
(In reply to Neil Rickert from comment #7)
> It seems that the recommended KDE way of doing this is with a suitable
> script in
>  $HOME/.config/plasma-workspace/env

This blocks loading the desktop until you entered the KWallet password, but it works.
I guess there's no way to make it asynchronous, right?
Comment 11 Mathias Homann 2021-04-28 20:12:28 UTC
there's a pam module that can unlock your wallet on log in.
Comment 12 Neil Rickert 2021-04-29 00:42:32 UTC
Responding to c#10

>This blocks loading the desktop until you entered the KWallet password, but it works.

Then you are doing too much in your script.  You are starting ssh-agent and you are adding a key.

Just start ssh-agent, then you won't run into problems.  You can setup a separate script, maybe with systems-settings --> startup and shutdown
for adding a key.

Starting ssh-agent needs to be done early in startup, so that the relevant ENVIRONMENT variables can be shared with the entire desktop.  So it has to be synchronous.  But adding a key can be done later in startup, because the key is just handed to the already running ssh-agent, which does any sharing needed.
Comment 13 Ludwig Nussel 2022-02-24 09:05:07 UTC
Can we find a solution that just works across Wayland, X11, DMs and DEs?

Ie move /usr/etc/X11/xdm/scripts/11-ssh-agent somewhere to be found by all methods?
Comment 14 Stefan Dirsch 2022-02-24 09:56:59 UTC
I don't know. There are more scripts in this directory, which might be relevant for Wayland and others affected. It could be found before the move to /usr/etc and it can still be found when adjusting the path. Reference for the /usr/etc move: boo#1173049
Comment 15 Ludwig Nussel 2022-07-04 12:40:54 UTC
Any update on this? Today I switched to Wayland on TW for curiosity as I keep having isses with X but missing ssh-agent hits there too.
Comment 16 Stefan Dirsch 2022-07-04 14:40:30 UTC
I don't have any, but I already commented on this ...
Comment 17 Ludwig Nussel 2022-07-18 12:42:51 UTC
Looks like this is how Fedora does it:
https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/ssh-agent.service

However, considering bug #1201564, maybe a socket unit would also work. Ideally we'd just set the default IdentityAgent setting in sshd to $XDG_RUNTIME_DIR/ssh-agent.socket so no env vars are needed by default.
Comment 19 Fabian Vogt 2022-07-25 13:59:55 UTC
(In reply to Ludwig Nussel from comment #18)
> How about this?
> 
> https://build.opensuse.org/package/rdiff/home:lnussel:branches:network/
> openssh?opackage=openssh&oproject=network&rev=4

IMO it's on the right track, but it could be made DE agnostic by using "graphical-session.target" and maybe some DE specific mentions in After=, like plasma-kwin_wayland.service for WAYLAND_DISPLAY. The latter could be avoided by instead making it conditional on XDG_SESSION_TYPE=wayland somehow.
Comment 20 Ludwig Nussel 2022-07-26 12:32:24 UTC
GNOME doesn't need it. Looks like gnome-keyring-daemon provides the ssh socket.