[arch-general] Starting gpg-agent from systemd?

Ismael Bouya ismael.bouya at normalesup.org
Tue Jun 10 09:42:32 EDT 2014


(Tue, Jun 10, 2014 at 03:06:12PM +0200) Bjørnar Hansen :
> On Sun, Jun 8, 2014 at 10:21 PM, Magnus Therning <magnus at therning.org> wrote:
> > I did the following
> >
> > - start the systemd service envoy at ssh-agent.socket
> > - add pam_envoy.so to /etc/pam.d/system-login
> >
> > That got it working for ssh, but not for gpg.  Is there something else
> > I should do to also get gpg-agent support?
> 
> Did you also start the systemd service envoy at gpg-agent.socket?

No, you cannot start both.  
However, if you start the gpg-agent version then you automatically have the
ssh-agent with it. It's more or less the same as the legacy gpg-agent. As
far as I am concerned I don't like that and prefer to separate ssh agent
from gpg agent (KISS, bla bla), so to answer to the OP more precisely and
without using envoy:

For gpg-agent, you can add something like that in your
$HOME/.config/systemd/user/gpg-agent.service
-----------
[Unit]
Description=gpg-agent
ConditionFileIsExecutable=/usr/bin/gpg-agent

[Service]
ExecStart=/usr/bin/gpg-agent --daemon --write-env-file %h/.gpg-agent-info
Type=forking
Restart=always
----------
and make sure that it is started by your systemd session. For that refer to
the archlinux wiki: https://wiki.archlinux.org/index.php/Systemd/User

Then, any application that needs it should simply source the file
source $HOME/.gpg-agent-info
(for instance in your bashrc)

This is not a good solution for two reasons:
- You can have race condition between the gpg-agent start and the bash
  start, which will then source a wrong file. You have no way to prevent
  that as your session starts in parallel with the user-services
- Same problem if by chance the gpg agent fails and restart, putting his
  socket somewhere else (which it will).

There has been a ticket about that in the gpg mailing-list, which they
chose not to address
http://lists.gnupg.org/pipermail/gnupg-devel/2012-October/026983.html
So there is not really a solution so far.

For ssh-agent it's a bit simpler:
$HOME/.config/systemd/user/ssh-agent.service
----------------
[Unit]
Description=ssh-agent
ConditionFileIsExecutable=/usr/bin/ssh-agent

[Service]
ExecStart=/usr/bin/ssh-agent -d -a %t/ssh_auth_sock
Restart=always
----------------
And in your .bashrc/.xsession you simply need to add a 
export SSH_AUTH_SOCK=/var/run/user/1000/ssh_auth_sock

The above problem won't show up as we can force the agent to put it's
socket in a predictable place.

Cheers,
-- 
Ismael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140610/da1869d4/attachment-0001.asc>


More information about the arch-general mailing list