NOT APPROVED: keychain

[Ville Skyttä]

On Fri, 2005-08-05 at 14:56 +0300, Ville Skyttä wrote:

> I noticed a problem with the opt-in mechanism in the keychain package.
> When a user who has done the opt-in and has such a ssh-agent running
> runs "sudo -s", a new keychain/ssh-agent appears to be executed as root,
> but using the original user's keys.  This does not happen if I use the
> old way of stuffing the commands from the man page to ~/.bash_profile.
> Plain "su" or "su -" seem to behave as expected, no matter if the
> ~/.keychainrc or ~/.bash_profile way is being used.

...and after reverting back to the ~/.bash_profile way locally, the bad
interaction on X login is back.  The ssh-agent started by Xsession
overwrites the env settings of the one started by keychain.  And the
keys I entered passphrase for during login were added to the agent
started by keychain.  Sigh.

$ ps ax | grep ssh-agent
 6854 ?        Ss     0:00 ssh-agent
 6906 ?        Ss     0:00 /usr/bin/ssh-agent /usr/bin/dbus-launch
--exit-with-session /etc/X11/xinit/Xclients
 7480 pts/2    S+     0:00 grep ssh-agent

$ cat .keychain/gk012.intra.net-sh
SSH_AUTH_SOCK=/tmp/ssh-gjDCgm6853/agent.6853; export SSH_AUTH_SOCK;
SSH_AGENT_PID=6854; export SSH_AGENT_PID;

$ printenv | grep SSH_
SSH_AGENT_PID=6906
SSH_AUTH_SOCK=/tmp/ssh-fRQpDY6774/agent.6774
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
$ ssh-add -l
The agent has no identities.
$ . ~/.keychain/gk012.intra.net-sh
$ ssh-add -l
[prints the added key's fingerprint]