Bug 228446 - security/trousers: tcsd does not shutdown if ssh-agent is left running
Summary: security/trousers: tcsd does not shutdown if ssh-agent is left running
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Hiroki Sato
Depends on:
Reported: 2018-05-23 21:28 UTC by Marcin Cieślak
Modified: 2018-05-23 21:28 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (hrs)


Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Cieślak 2018-05-23 21:28:26 UTC
I am using the following setup:

OpenSSL is configured to use libtpm:

engines = engine_section


foo = tpm_section

dynamic_path = /usr/local/lib/openssl/engines/libtpm.so
engine_id = tpm
default_algorithms = ALL
#default_algorithms = RAND,RSA
init = 1

SSH client is configured to use libsimple-tpm-pk11.so:

Host m
PKCS11Provider /usr/home/saper/sw/simple-tpm-pk11/.libs/libsimple-tpm-pk11.so
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
ForwardAgent yes
ForwardX11 no
User xxx

I am using a vanilla /usr/local/etc/tcsd.conf

I start ssh-agent from my .xsession file as

eval `/usr/bin/ssh-agent -s`

therefore it does not die when I kill my X session.

I noticed that tcsd blocks system shutdown (gets killed eventually by the watchdog).

Quick look at the source code and open sockets reveals, that ssh-agent maintains   a persistent connection to tcsd.

The easiest way to reproduce the problem with my config is to start a separate shell with

ssh-agent /bin/sh

and try to stop tcsd in another terminal:

sudo service tcsd stop

as long as the shell is running tcsd will not stop.

It is enough to exit the shell and after a second or two tcsd will shutdown.

The shutdown is immediate if ssh-agent is not running.

I think tcsd should be able to notice earlier that it is time to close its sockets and go away.