[Bug 228446] security/trousers: tcsd does not shutdown if ssh-agent is left running
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed May 23 21:28:29 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228446
Bug ID: 228446
Summary: security/trousers: tcsd does not shutdown if ssh-agent
is left running
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: hrs at FreeBSD.org
Reporter: saper at saper.info
Flags: maintainer-feedback?(hrs at FreeBSD.org)
Assignee: hrs at FreeBSD.org
I am using the following setup:
OpenSSL is configured to use libtpm:
[openssl_def]
engines = engine_section
[engine_section]
foo = tpm_section
[tpm_section]
dynamic_path = /usr/local/lib/openssl/engines/libtpm.so
engine_id = tpm
default_algorithms = ALL
#default_algorithms = RAND,RSA
init = 1
SSH client is configured to use libsimple-tpm-pk11.so:
Host m
PKCS11Provider /usr/home/saper/sw/simple-tpm-pk11/.libs/libsimple-tpm-pk11.so
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
ForwardAgent yes
ForwardX11 no
User xxx
I am using a vanilla /usr/local/etc/tcsd.conf
I start ssh-agent from my .xsession file as
eval `/usr/bin/ssh-agent -s`
therefore it does not die when I kill my X session.
I noticed that tcsd blocks system shutdown (gets killed eventually by the
watchdog).
Quick look at the source code and open sockets reveals, that ssh-agent
maintains a persistent connection to tcsd.
The easiest way to reproduce the problem with my config is to start a separate
shell with
ssh-agent /bin/sh
and try to stop tcsd in another terminal:
sudo service tcsd stop
as long as the shell is running tcsd will not stop.
It is enough to exit the shell and after a second or two tcsd will shutdown.
The shutdown is immediate if ssh-agent is not running.
I think tcsd should be able to notice earlier that it is time to close its
sockets and go away.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list