[arch-general] Starting gpg-agent from systemd?
For the first time ever today, I noticed this little gem of a message from gpg: ~~~~ gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent. gpg: WARNING: GnuPG will not work proberly - please configure that tool to not interfere with the GnuPG system! ~~~~ So I started looking into some nice way of switching to gpg-agent, but how to start it in a nice way when using Gnome? The instructions at [^1] are for the shell and for using ~/.xinitrc to start X. So neither is very well suited for me as I'm letting GDM log me in to Gnome without use of ~/.xinitrc and the agent has to be available also to apps started via Gnome Shell. I have a feeling this ought to be solvable using systemd but I can't really see how. Writing a service for gpg-agent is not that difficult, and it creates the required environment file without problems. But, how do I hook it in to the user login in the right way? Who should be wanting my gpg-agent.service, and then load the generated file using EnvironmentFile=? All pointers are welcome. /M [^1]: https://wiki.archlinux.org/index.php/GnuPG#gpg-agent -- Magnus Therning OpenPGP: 0xAB4DFBA4 email: magnus@therning.org jabber: magnus@therning.org twitter: magthe http://therning.org/magnus What gets measured, gets done. -- Tom Peters
On Fri, Jun 6, 2014 at 10:14 AM, Magnus Therning <magnus@therning.org> wrote:
I have a feeling this ought to be solvable using systemd but I can't really see how. Writing a service for gpg-agent is not that difficult, and it creates the required environment file without problems. But, how do I hook it in to the user login in the right way? Who should be wanting my gpg-agent.service, and then load the generated file using EnvironmentFile=?
Rather than starting it purely with systemd, have you looked into using Envoy [1] and using its PAM module to ensure it gets propagated to the entire login session? Regards, ~Celti [1]: https://github.com/vodik/envoy
On Fri, Jun 06, 2014 at 10:41:24AM -0700, Patrick Burroughs (Celti) wrote:
On Fri, Jun 6, 2014 at 10:14 AM, Magnus Therning <magnus@therning.org> wrote:
I have a feeling this ought to be solvable using systemd but I can't really see how. Writing a service for gpg-agent is not that difficult, and it creates the required environment file without problems. But, how do I hook it in to the user login in the right way? Who should be wanting my gpg-agent.service, and then load the generated file using EnvironmentFile=?
Rather than starting it purely with systemd, have you looked into using Envoy [1] and using its PAM module to ensure it gets propagated to the entire login session?
Thanks. I did the following - start the systemd service envoy@ssh-agent.socket - add pam_envoy.so to /etc/pam.d/system-login That got it working for ssh, but not for gpg. Is there something else I should do to also get gpg-agent support? /M -- Magnus Therning OpenPGP: 0xAB4DFBA4 email: magnus@therning.org jabber: magnus@therning.org twitter: magthe http://therning.org/magnus I invented the term Object-Oriented, and I can tell you I did not have C++ in mind. -- Alan Kay
On Sun, Jun 8, 2014 at 10:21 PM, Magnus Therning <magnus@therning.org> wrote:
I did the following
- start the systemd service envoy@ssh-agent.socket - add pam_envoy.so to /etc/pam.d/system-login
That got it working for ssh, but not for gpg. Is there something else I should do to also get gpg-agent support?
Did you also start the systemd service envoy@gpg-agent.socket? -- Bjørnar Hansen
(Tue, Jun 10, 2014 at 03:06:12PM +0200) Bjørnar Hansen :
On Sun, Jun 8, 2014 at 10:21 PM, Magnus Therning <magnus@therning.org> wrote:
I did the following
- start the systemd service envoy@ssh-agent.socket - add pam_envoy.so to /etc/pam.d/system-login
That got it working for ssh, but not for gpg. Is there something else I should do to also get gpg-agent support?
Did you also start the systemd service envoy@gpg-agent.socket?
No, you cannot start both. However, if you start the gpg-agent version then you automatically have the ssh-agent with it. It's more or less the same as the legacy gpg-agent. As far as I am concerned I don't like that and prefer to separate ssh agent from gpg agent (KISS, bla bla), so to answer to the OP more precisely and without using envoy: For gpg-agent, you can add something like that in your $HOME/.config/systemd/user/gpg-agent.service ----------- [Unit] Description=gpg-agent ConditionFileIsExecutable=/usr/bin/gpg-agent [Service] ExecStart=/usr/bin/gpg-agent --daemon --write-env-file %h/.gpg-agent-info Type=forking Restart=always ---------- and make sure that it is started by your systemd session. For that refer to the archlinux wiki: https://wiki.archlinux.org/index.php/Systemd/User Then, any application that needs it should simply source the file source $HOME/.gpg-agent-info (for instance in your bashrc) This is not a good solution for two reasons: - You can have race condition between the gpg-agent start and the bash start, which will then source a wrong file. You have no way to prevent that as your session starts in parallel with the user-services - Same problem if by chance the gpg agent fails and restart, putting his socket somewhere else (which it will). There has been a ticket about that in the gpg mailing-list, which they chose not to address http://lists.gnupg.org/pipermail/gnupg-devel/2012-October/026983.html So there is not really a solution so far. For ssh-agent it's a bit simpler: $HOME/.config/systemd/user/ssh-agent.service ---------------- [Unit] Description=ssh-agent ConditionFileIsExecutable=/usr/bin/ssh-agent [Service] ExecStart=/usr/bin/ssh-agent -d -a %t/ssh_auth_sock Restart=always ---------------- And in your .bashrc/.xsession you simply need to add a export SSH_AUTH_SOCK=/var/run/user/1000/ssh_auth_sock The above problem won't show up as we can force the agent to put it's socket in a predictable place. Cheers, -- Ismael
On Tue, Jun 10, 2014 at 03:06:12PM +0200, Bjørnar Hansen wrote:
On Sun, Jun 8, 2014 at 10:21 PM, Magnus Therning <magnus@therning.org> wrote:
I did the following
- start the systemd service envoy@ssh-agent.socket - add pam_envoy.so to /etc/pam.d/system-login
That got it working for ssh, but not for gpg. Is there something else I should do to also get gpg-agent support?
Did you also start the systemd service envoy@gpg-agent.socket?
Nope, since that isn't documented anywhere I did not even know it was required :) With that it seems to work though, and if I use gpg-agent.socket *and* configure my gpg-agent to handle ssh-agent as well, then that seems to be all I need to do to get both running. /M -- Magnus Therning OpenPGP: 0xAB4DFBA4 email: magnus@therning.org jabber: magnus@therning.org twitter: magthe http://therning.org/magnus Goto labels should be left-aligned in all caps and should include the programmer's name, home phone number, and credit card number. -- Abdul Nizar
(Fri, Jun 06, 2014 at 07:14:45PM +0200) Magnus Therning :
The instructions at [^1] are for the shell and for using ~/.xinitrc to start X. So neither is very well suited for me as I'm letting GDM log me in to Gnome without use of ~/.xinitrc and the agent has to be available also to apps started via Gnome Shell.
I forgot about this part. Without using xinitrc, GDM sources some file. I don't remember if it is your $HOME/.xsessionrc or $HOME/.profile (or both), but you should have a look into gdm files (pacman -Ql ...) for a file called Xsession, and there he will tell you which files are sourced before actually running your session. You can then add any command you like. -- Ismael
participants (4)
-
Bjørnar Hansen
-
Ismael Bouya
-
Magnus Therning
-
Patrick Burroughs (Celti)