Bug#1103522: openssh-client: ssh-agent socket created in an unpredictable path

Thu, 08 May 2025 14:31:22 -0700 

Control: tags 1103522 + patch

Ah, thanks, i think i understand what is going on now!  I was able to
replicate the problem.

> Here is what I did to disable my non-systemd-managed agent and run it again
> through systemd:
> killall ssh-agent
> systemctl --enable ssh-agent.service ssh-agent.socket
> systemctl --user start ssh-agent.service

You're starting the service, when what i think you really want to start
is the socket.

For socket-activated services, the most important thing is to have the
socket listening; when someone connects to it, systemd will the correct
service.

By default, the socket is activated automatically (it ships enabled), so
most people wouldn't have run into this problem.  But, if the socket was
somehow not running (perhaps on package upgrade?) then just manually
starting the service will fail because the .service unit is designed to
work when the socket is active.

And what you did ("systemctl --user start ssh-agent.service") is also a
totally reasonable thing to do (especially for people used to managing
non-socket-activated services).

To fix this use case, we just need to tell systemd that any manual
attempt to start the ssh-agent service needs to ensure that the socket
is listening first.

We can do this with the following patch to the OpenSSH package's
ssh-agent.service file:

diff --git a/debian/systemd/ssh-agent.service b/debian/systemd/ssh-agent.service
index 72e0a3e46..19ea47c91 100644
--- a/debian/systemd/ssh-agent.service
+++ b/debian/systemd/ssh-agent.service
@@ -1,6 +1,8 @@
 [Unit]
 Description=OpenSSH Agent
 Documentation=man:ssh-agent(1)
+Requires=ssh-agent.socket
+After=ssh-agent.socket
 
 [Service]
 Environment=SSH_ASKPASS_REQUIRE=force


You can test this if you like by dropping a file with this contents into
~/.config/systemd/user/ssh-agent.service.d/override.conf :

```
# Added while debugging https://bugs.debian.org/1103522
[Unit]
Requires=ssh-agent.socket
After=ssh-agent.socket
```

Then do:

    systemctl --user daemon-reload
    systemctl --user restart ssh-agent.service

And you should see that the socket is up and the agent is listening on
the appropriate socket.

If this solves your scenario, please let me know!

(and, don't forget to remove the override.conf once we've resolved the
bug in the debian package)

Thanks for bearing with me on the debugging!

       --dkg

Attachment: signature.asc
Description: PGP signature

Reply via email to