安装 24.04 时出现问题

Question

SebMa

Asked: 2025-02-22 01:28:42 +0800 CST2025-02-22 01:28:42 +0800 CST 2025-02-22 01:28:42 +0800 CST

如何使用 openssh 代理 systemd 用户“ssh-agent.service”？

772

我尝试在 Ubuntu 24.04 上使用 openssh ssh 代理 systemd 用户服务。

从 Ubuntu 16.10 开始，openssh-client软件包包含一个ssh-agent.service用户服务文件：

$ lsb_release -sr
No LSB modules are available.
24.04
$ dpkg -S user/ssh-agent.service
openssh-client: /usr/lib/systemd/user/ssh-agent.service
$ systemctl --user cat ssh-agent.service
# /usr/lib/systemd/user/ssh-agent.service
[Unit]
Description=OpenSSH Agent
Documentation=man:ssh-agent(1)
Before=graphical-session-pre.target
ConditionPathExists=/etc/X11/Xsession.options
Wants=dbus.socket
After=dbus.socket

[Service]
# If you need to pass extra arguments to ssh-agent, you can use "systemctl
# --user edit ssh-agent.service" to add a drop-in unit with contents along
# these lines:
#   [Service]
#   ExecStart=
#   ExecStart=/usr/lib/openssh/agent-launch start -- -t 1200
ExecStart=/usr/lib/openssh/agent-launch start
ExecStopPost=/usr/lib/openssh/agent-launch stop
$

因此我尝试启动它但它没有活动：

$ systemctl --user start ssh-agent.service
$ systemctl --user is-active ssh-agent.service
inactive
$

经过一些研究，我设置了SSH_AUTH_SOCK变量：

$ ssh myUbuntu-24-04-Server
$ export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/openssh_agent
$ systemctl --user stop ssh-agent.service
$ systemctl --user start ssh-agent.service
$ ls $SSH_AUTH_SOCK
ls: cannot access '/run/user/1000/openssh_agent': No such file or directory
$ systemctl --user is-active ssh-agent.service
inactive
$ systemctl --user status ssh-agent.service
○ ssh-agent.service - OpenSSH Agent
     Loaded: loaded (/usr/lib/systemd/user/ssh-agent.service; static)
     Active: inactive (dead)
       Docs: man:ssh-agent(1)

Feb 21 17:41:56 myUbuntu-24-04-Server systemd[118809]: Started ssh-agent.service - OpenSSH Agent.
Feb 21 18:08:15 myUbuntu-24-04-Server systemd[119096]: Started ssh-agent.service - OpenSSH Agent.
Feb 21 18:10:31 myUbuntu-24-04-Server systemd[119096]: Started ssh-agent.service - OpenSSH Agent.
Feb 21 18:11:24 myUbuntu-24-04-Server systemd[119096]: Started ssh-agent.service - OpenSSH Agent.
Feb 21 18:18:49 myUbuntu-24-04-Server systemd[119442]: Started ssh-agent.service - OpenSSH Agent.
$

但是，此服务在以前的 Ubuntu LTS（22.04）上启动正常：

$ ssh myUbuntu-22-04-Server
$ lsb_release -sr
22.04
$ export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/openssh_agent
$ systemctl --user start ssh-agent.service
$ systemctl --user status ssh-agent.service
● ssh-agent.service - OpenSSH Agent
     Loaded: loaded (/usr/lib/systemd/user/ssh-agent.service; static)
     Active: active (running) since Fri 2025-02-21 18:40:55 CET; 4min 17s ago
       Docs: man:ssh-agent(1)
   Main PID: 23068 (ssh-agent)
      Tasks: 1 (limit: 19005)
     Memory: 1.1M
        CPU: 6ms
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/ssh-agent.service
             └─23068 ssh-agent -D -a /run/user/1000/openssh_agent

Feb 21 18:40:55 myUbuntu-22-04-Server systemd[22133]: Started OpenSSH Agent.
Feb 21 18:40:55 myUbuntu-22-04-Server agent-launch[23070]: dbus-update-activation-environment: setting SSH_AUTH_SOCK=/run/user/1000/openssh_agent
Feb 21 18:40:55 myUbuntu-22-04-Server agent-launch[23070]: dbus-update-activation-environment: setting SSH_AGENT_LAUNCHER=openssh
Feb 21 18:40:55 myUbuntu-22-04-Server agent-launch[23068]: SSH_AUTH_SOCK=/run/user/1000/openssh_agent; export SSH_AUTH_SOCK;
Feb 21 18:40:55 myUbuntu-22-04-Server agent-launch[23068]: echo Agent pid 23068;
$ ssh-add -l
The agent has no identities.
$

EDIT0：我的错，SSH_AUTH_SOCK没有必要手动设置变量。

我在 Ubuntu 22.04 上重新测试了，无需手动设置变量就可以正常工作 SSH_AUTH_SOCK。

但在 Ubuntu 24.04 上，我得到的结果如下：

$ ssh -X myUser@myUbuntu-24-04-Server
myUser@myUbuntu-24-04-Server:~$ echo $XDG_RUNTIME_DIR
/run/user/1000
myUser@myUbuntu-24-04-Server:~$ echo $SSH_AUTH_SOCK

myUser@myUbuntu-24-04-Server:~$ grep use-ssh-agent /etc/X11/Xsession.options
use-ssh-agent
myUser@myUbuntu-24-04-Server:~$ unset SSH_AUTH_SOCK
myUser@myUbuntu-24-04-Server:~$ systemctl --user start ssh-agent.service
myUser@myUbuntu-24-04-Server:~$ systemctl --user status ssh-agent.service
○ ssh-agent.service - OpenSSH Agent
     Loaded: loaded (/usr/lib/systemd/user/ssh-agent.service; static)
     Active: inactive (dead)
       Docs: man:ssh-agent(1)

Feb 21 17:41:56 myUbuntu-24-04-Server systemd[118809]: Started ssh-agent.service - OpenSSH Agent.
Feb 21 18:08:15 myUbuntu-24-04-Server systemd[119096]: Started ssh-agent.service - OpenSSH Agent.
Feb 21 18:10:31 myUbuntu-24-04-Server systemd[119096]: Started ssh-agent.service - OpenSSH Agent.
Feb 21 18:11:24 myUbuntu-24-04-Server systemd[119096]: Started ssh-agent.service - OpenSSH Agent.
Feb 21 18:18:49 myUbuntu-24-04-Server systemd[119442]: Started ssh-agent.service - OpenSSH Agent.
Feb 24 17:54:39 myUbuntu-24-04-Server systemd[151016]: Started ssh-agent.service - OpenSSH Agent.
Feb 24 17:56:01 myUbuntu-24-04-Server systemd[151016]: Started ssh-agent.service - OpenSSH Agent.
Feb 24 18:15:38 myUbuntu-24-04-Server systemd[151355]: Started ssh-agent.service - OpenSSH Agent.
Feb 24 18:17:06 myUbuntu-24-04-Server systemd[151355]: Started ssh-agent.service - OpenSSH Agent.
myUser@myUbuntu-24-04-Server:~$ systemctl --user is-active ssh-agent.service
inactive
myUser@myUbuntu-24-04-Server:~$ ssh-add -l
Could not open a connection to your authentication agent. 
myUser@myUbuntu-24-04-Server:~$

你能帮助我吗？

1 个回答

Voted

mpboden · Answer 1 · 2025-02-23T00:55:54+08:00

服务未处于“活动”状态的原因如下：

您没有use-ssh-agent在中定义/etc/X11/Xsession.options。
$SSH_AUTH_SOCK在开始之前您已经定义了ssh-agent.service。
SSH_AUTH_SOCK也在 Systemd --user 范围内定义gpg-agent-ssh.socket。

我们先看一下ssh-agent.service单元文件，单元启动时，/usr/lib/openssh/agent-launch通过以下代码行调用脚本：

ExecStart=/usr/lib/openssh/agent-launch start

查看该脚本，我们有以下内容：

$ cat /usr/lib/openssh/agent-launch
#!/bin/sh
# helper script for launching ssh-agent, used by systemd unit
set -e

if [ ! -d "$XDG_RUNTIME_DIR" ]; then
    # shellcheck disable=SC2016
    echo 'This needs $XDG_RUNTIME_DIR to be set' >&2
    exit 1
fi

if [ "$1" = start ]; then
    if [ -z "$SSH_AUTH_SOCK" ] && grep -s -q '^use-ssh-agent$' /etc/X11/Xsession.options; then
        S="$XDG_RUNTIME_DIR/openssh_agent"
        dbus-update-activation-environment --verbose --systemd SSH_AUTH_SOCK="$S" SSH_AGENT_LAUNCHER=openssh
        exec ssh-agent -D -a "$S"
    fi
elif [ "$1" = stop ]; then
    if [ "$SSH_AGENT_LAUNCHER" = openssh ]; then
        dbus-update-activation-environment --systemd  SSH_AUTH_SOCK=
    fi
else
    echo "Unknown command $1" >&2
    exit 1
fi

我们可以从中得到以下几点信息：

$XDG_RUNTIME_DIR需要定义为环境变量
$SSH_AUTH_SOCK需要未定义
use-ssh-agent需要在/etc/X11/Xsession.options

接下来，查看的输出systemctl --user show-environment。这将显示你的 Systemd --user 范围环境变量：

$ systemctl --user show-environment
HOME=/home/mike
LANG=en_US.UTF-8
LOGNAME=mike
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/>
SHELL=/bin/bash
USER=mike
XDG_RUNTIME_DIR=/run/user/1000
XDG_DATA_DIRS=/usr/local/share/:/usr/share/:/var/lib/snapd/desktop
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
GSM_SKIP_SSH_AGENT_WORKAROUND=true
SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh

注意SSH_AUTH_SOCK已定义。这将阻止ssh-agent.service启动和定义此变量。

当ssh-agent运行时，它想要定义SSH_AUTH_SOCK。引用ssh-agent(1) 手册页：

SSH_AUTH_SOCK  When ssh-agent starts, it creates a UNIX-domain socket and stores its pathname in this
                    variable.  It is accessible only to the current user, but is easily abused by root or
                    another instance of the same user.

无论如何，在 Ubuntu 24.04 的默认状态下，SSH_AUTH_SOCK是由名为的套接字单元文件定义的gpg-agent-ssh.socket，这就是为什么它在 Systemd --user 范围内可用并在的输出中可见的原因systemctl --user show-environment。查看gpg-agent-ssh.socket单元文件的内容，您将看到如何SSH_AUTH_SOCK使用来定义ExecStartPost=：

$ systemctl --user cat gpg-agent-ssh.socket
# /usr/lib/systemd/user/gpg-agent-ssh.socket
[Unit]
Description=GnuPG cryptographic agent (ssh-agent emulation)
Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)

[Socket]
ListenStream=%t/gnupg/S.gpg-agent.ssh

# See the below link for why we need GSM_SKIP_SSH_AGENT_WORKAROUND:
# https://git.gnome.org/browse/gnome-session/tree/gnome-session/main.c?h=3.24.0#n419
# in order to avoid race condition this environment should be set before SSH_AUTH_SOCK
ExecStartPre=systemctl --user set-environment GSM_SKIP_SSH_AGENT_WORKAROUND="true"

# after creating and binding the service notify environment
# no need to test config file because service directly pass fd overwritting the config file
ExecStartPost=systemctl --user set-environment SSH_AUTH_SOCK="%t/gnupg/S.gpg-agent.ssh"

# before unbinding stop to export that we listen to socket
ExecStopPre=systemctl --user unset-environment SSH_AUTH_SOCK
ExecStopPost=systemctl --user unset-environment GSM_SKIP_SSH_AGENT_WORKAROUND

FileDescriptorName=ssh
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700

[Install]
WantedBy=sockets.target

修复

对于 Ubuntu 24.04，要启用ssh-agent您需要执行以下操作：

定义use-ssh-agent于/etc/X11/Xsession.options：
```
$ cat /etc/X11/Xsession.options
use-ssh-agent
```
防止SSH_AUTH_SOCK在启动时被定义在 Systemd --user 作用域中gpg-agent-ssh.socket。这可以通过以下任一选项来实现：

选项 1：

使用以下步骤创建一个override.conf清除ExecStartPre、ExecStartPost、ExecStopPre和的文件：ExecStopPost
- 运行systemctl --user edit gpg-agent-ssh.socket编辑并创建override.conf文件，添加以下内容：
```
[Socket]
ExecStartPre=
ExecStartPost=
ExecStopPre=
ExecStopPost=
```
- 保存并退出。
- 然后使用重新加载配置更改systemctl --user daemon-reload。
选项 2：

只需掩码即可gpg-agent-ssh.socket。这将阻止创建套接字。
- 跑步systemctl --user mask gpg-agent-ssh.socket。
- 然后使用重新加载配置更改systemctl --user daemon-reload。
在 Systemd --user 范围中取消设置SSH_AUTH_SOCK，该范围之前已使用单元文件定义gpg-agent-ssh.socket。您需要在启动之前取消设置ssh-agent.service：
```
systemctl --user unset-environment SSH_AUTH_SOCK`
```
在文件中添加一个[Install]部分。这将允许您“启用”该服务并使其在启动时启动。override.confssh-agent.service
```
$ systemctl --user edit ssh-agent
[Install}
WantedBy=default.target
```
然后使用重新加载配置更改systemctl --user daemon-reload。

启用并启动ssh-agent.service

systemctl --user enable --now ssh-agent

导出SSH_AUTH_SOCK以便.bashrc此环境变量全局可用。否则ssh-add将看不到可用的套接字，因为它看不到 Systemd --user 范围变量。
- 将以下内容添加到底部.bashrc：
  
  export SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/openssh_agent"
- 然后重新加载.bashrc：
```
source ~/.bashrc
```

经过上述配置后：

你将拥有一个全局SSH_AUTH_SOCK变量：

$ echo $SSH_AUTH_SOCK
/run/user/1000/openssh_agent

这将匹配 Systemd --user 范围变量：

$ systemctl --user show-environment
HOME=/home/mike
LANG=en_US.UTF-8
LOGNAME=mike
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/>
SHELL=/bin/bash
USER=mike
XDG_RUNTIME_DIR=/run/user/1000
XDG_DATA_DIRS=/usr/local/share/:/usr/share/:/var/lib/snapd/desktop
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
SSH_AGENT_LAUNCHER=openssh
SSH_AUTH_SOCK=/run/user/1000/openssh_agent

ssh-agent将被启用并处于活动状态（运行）：

$ systemctl --user status ssh-agent
● ssh-agent.service - OpenSSH Agent
     Loaded: loaded (/usr/lib/systemd/user/ssh-agent.service; enabled; preset: enabled)
    Drop-In: /home/mike/.config/systemd/user/ssh-agent.service.d
             └─override.conf
     Active: active (running) since Wed 2025-02-26 05:43:00 UTC; 4min 12s ago
       Docs: man:ssh-agent(1)
   Main PID: 1513 (ssh-agent)
      Tasks: 1 (limit: 9327)
     Memory: 1.1M (peak: 1.4M)
        CPU: 12ms
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/ssh-agent.service
             └─1513 ssh-agent -D -a /run/user/1000/openssh_agent

Feb 26 05:43:00 ubuntu24server systemd[1158]: Started ssh-agent.service - OpenSSH Agent.
Feb 26 05:43:00 ubuntu24server agent-launch[1516]: dbus-update-activation-environment: setting SSH_A>
Feb 26 05:43:00 ubuntu24server agent-launch[1516]: dbus-update-activation-environment: setting SSH_A>
Feb 26 05:43:00 ubuntu24server agent-launch[1513]: SSH_AUTH_SOCK=/run/user/1000/openssh_agent; expor>
Feb 26 05:43:00 ubuntu24server agent-launch[1513]: echo Agent pid 1513;

输出ssh-add -l不会出错：

$ ssh-add -l
The agent has no identities.

如何使用 openssh 代理 systemd 用户“ssh-agent.service”？

修复

如何运行 .sh 脚本？

如何安装 .tar.gz（或 .tar.bz2）文件？

如何列出所有已安装的软件包

无法锁定管理目录 (/var/lib/dpkg/) 是另一个进程在使用它吗？

如何使用 openssh 代理 systemd 用户“ssh-agent.service”？

1 个回答

修复

相关问题