[Bug 228446] security/trousers: tcsd does not shutdown if ssh-agent is left running

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed May 23 21:28:29 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228446

            Bug ID: 228446
           Summary: security/trousers: tcsd does not shutdown if ssh-agent
                    is left running
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: hrs at FreeBSD.org
          Reporter: saper at saper.info
             Flags: maintainer-feedback?(hrs at FreeBSD.org)
          Assignee: hrs at FreeBSD.org

I am using the following setup:

OpenSSL is configured to use libtpm:

[openssl_def]
engines = engine_section

[engine_section]

foo = tpm_section

[tpm_section]
dynamic_path = /usr/local/lib/openssl/engines/libtpm.so
engine_id = tpm
default_algorithms = ALL
#default_algorithms = RAND,RSA
init = 1

SSH client is configured to use libsimple-tpm-pk11.so:

Host m
PKCS11Provider /usr/home/saper/sw/simple-tpm-pk11/.libs/libsimple-tpm-pk11.so
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
ForwardAgent yes
ForwardX11 no
User xxx

I am using a vanilla /usr/local/etc/tcsd.conf

I start ssh-agent from my .xsession file as

eval `/usr/bin/ssh-agent -s`

therefore it does not die when I kill my X session.

I noticed that tcsd blocks system shutdown (gets killed eventually by the
watchdog).

Quick look at the source code and open sockets reveals, that ssh-agent
maintains   a persistent connection to tcsd.

The easiest way to reproduce the problem with my config is to start a separate
shell with

ssh-agent /bin/sh

and try to stop tcsd in another terminal:

sudo service tcsd stop

as long as the shell is running tcsd will not stop.

It is enough to exit the shell and after a second or two tcsd will shutdown.

The shutdown is immediate if ssh-agent is not running.

I think tcsd should be able to notice earlier that it is time to close its
sockets and go away.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list