SSH Keys Only Added After Second Login After Reboot
aldenjenkins opened this issue · comments
For whatever reason, my ssh-agent does not populate the keys correctly during my first login after reboot, but when i logout and log back in, my ssh-agent correctly adds the keys as expected.
In other words,
ssh-add -l
returns no values on my first login after reboot, but returns all expected values after my second login.
my ssh agent is running as a user-specific systemd service, could it be that perhaps its starting after the pam_exec command runs?
my system-local-login
file
#%PAM-1.0
session required pam_env.so
auth include system-login
account include system-login
password include system-login
session include system-login
auth optional pam_gnupg.so
auth optional pam_exec.so expose_authtok /usr/bin/pam_exec-ssh
session optional pam_gnupg.so
my /etc/environment
#
# This file is parsed by pam_env module
#
# Syntax: simple "KEY=VAL" pairs on separate lines
#
XDG_CONFIG_HOME=/home/alden/.config
XDG_DATA_HOME=/home/alden/.local/share
XDG_CACHE_HOME=/home/alden/.cache
XDG_RUNTIME_DIR=/run/user/1000
XAUTHORITY="${XDG_RUNTIME_DIR}/Xauthority"
SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-agent.socket"
Finally, I am running Arch.
my ssh agent is running as a user-specific systemd service, could it be that perhaps its starting after the pam_exec command runs?
Yes, that could be the reason.
What kind of screenlocker do you use?
I use slock (suckless lock), but i dont know if that would make a difference.
I use it with physlock like this:
#!/bin/sh
systemctl restart --user gpg-agent.service
systemctl restart --user ssh-agent.service
physlock
This script runs at startup and if I lock the screen.
If I restart the services the cached password is away. Also a fresh daemon starts. Thats what you need. Otherwise the ssh-agent starts later with no cached password.
Do you use system-local-login
for your pam module that you install the pam_exec call to?
I use /etc/pam.d/physlock
which is distributed with physlock.
But the file should not make a difference. You can also use include
to include other files.
As everything works, except from the startup your pam config is ok I guess.
so in my case i guess it comes down to my user ssh-agent systemd service starting after the pam_exec function is called in system-local-login
. I can't think of a way to get around this yet... herm.... :O
i simply have the systemd user service enabled. nothing special to it. I don't have a good mental model around when they are started relative to when pam modules are run
Then run it before slock?
I havent used slock in years--it doesnt have a pam module
You said you use it?
I have it installed :)
I dont think it has an effect on loading systemd user files before pam executes though, right?
PAM is executed when you log in. slock
change nothing on it.
When a user service starts depends on other rules.
exactly. slock has no effect on the cause of the bug :)
I am curious if you have any other suggestions, as i have no clue what could be causing this.
Does your ssh-agent run before you log in the first time?
It starts whenever a normal systemd --user service starts.
When that happens is what im not sure of
I havent changed anything which would change the default start time
Then you have to fix it.
By start the service manually or by enabling the service.
The service is enabled. The impotence for this issue, again, is that i am doing everything correct here.
You use a systemd user service for ssh-agent; so do I. what else could it be, in your mind?
The point is that you don't know when the service starts. But it needs to be running before it can work.
Yes and i was hoping you'd know of a way to diagnose :) Either way, I've just found a solution. running loginctl enable-linger 1000
(replace 1000 with your user id) allows systemd user services to start on reboot before login.
Is this worth adding as a note somewhere on the readme?
I added an info to the README.md.