Hello Jerome, On Fri, Jun 24, 2016 at 4:43 PM, Jerome BENOIT <calcu...@rezozer.net> wrote: > On 24/06/16 15:21, Giuseppe Bilotta wrote: >> So the problem is that one of the leftover files prevented the agent >> from starting. > > This is not a problem, this mechanism is meant to allow several sessions > to use the same agent.
Indeed, and that makes perfect sense. However it does cause issues if the agent is not actually running, either because it crashed or because the control file was left over from a previous run. > What is not normal is that the flag file was not removed: I suspect an > accident > and/or any confusions as it happens at migration time. In my case, this is probably due to an unclean shutdown. I have two issues on my machine: one is due to the system never closing down properly if an NFS mount is active when using systemd as init. The other is that sometimes my video driver acts up in multi-monitor setups, especially when switching consoles and running rootless X. I think that what happened in this case is that my machine went completely dead after a switch from a rootless X on tty1 to (framebuffer) console on tty2 and then back, so I was forced to do a hard reset of the machine without logging off properly. Due to me not logging off, the control files were still there and were never cleaned up. >> May I suggest adding a few more debug outputs centered around starting >> up the agent? I don't know how it's done in pam_ssh, but if it does >> some checks before then actually printing on debug "checking for >> running agents" and maybe "found agent from XXXXX file, not starting"? > > I am agree that the DEBUG message policy must be revisited. Indeed, It should be fine to be quite verbose with what's happening, since it's debug-only output. >> This would at least hint at the reason why the agent is not being started. >> >> (Bonus points: making sure that the agent is actually running and not >> just some lefover file?) > > The leftover file is a flag file (see above). > How do you suggest to decide whether or not an agent was indeed launched by > pam_ssh but not any other process ? If the flag file contains the PID of the agent it launches, it could be used to check if the agent is actually running before deciding to not launch one. >> (Anyway, the issue is solved for me; maybe demote it to wishlist for >> the improved checks?) > > I guess that we can close it. Sure. > Note that you may want to launch the pam_tmpdir module before pam_ssh as > pam_ssh honours TMPDIR. I have not altered the order of the modules myself, so probably the pam-auth-update configuration file for pam_ssh should specify that it needs to go after pam_tmpdir? -- Giuseppe "Oblomov" Bilotta
