Since the 1:10.0p1-1 → 1:10.0p1-2 upgrade, the user socket for ssh-agent
is no longer created in ${XDG_RUNTIME_DIR}/openssh_agent, but at an >unpredictable path under /tmp.
As an example, here is what it currently uses on my system: >/tmp/ssh-EwtbKB5qzA6k/agent.3932465
(the path changes each time the ssh-agent user service is restarted)
This breaks the use of commands like ssh-add, as they can no longer find
the socket.
This is most probably related to the fix for the following bug reports:
- https://bugs.debian.org/961311
- https://bugs.debian.org/1039919
- https://bugs.debian.org/1103037
For now it can be worked around by downgrading openssh-client
to the Trixie version (1:9.9p2-2), and open the socket with: >/usr/lib/openssh/agent-launch start
Since the 1:10.0p1-1 → 1:10.0p1-2 upgrade, the user socket for ssh-agent
is no longer created in ${XDG_RUNTIME_DIR}/openssh_agent, but at an unpredictable path under /tmp.
(the path changes each time the ssh-agent user service is restarted)
Can you share the output of the following command (run as your normal
user):
systemctl --user cat ssh-agent.socket ssh-agent.service
If your output looks the same as above, can you share the output of:
systemctl --user status ssh-agent.socket ssh-agent.service
That would let me see what your local process supervisor believes is
going on with this service.
How are you restarting the ssh-agent user service?
Can you share the output of the following command (run as your normal
user):
systemctl --user cat ssh-agent.socket ssh-agent.service
I get the exact same output as yours, no local overrides here.
If your output looks the same as above, can you share the output of:
systemctl --user status ssh-agent.socket ssh-agent.service
That would let me see what your local process supervisor believes is
going on with this service.
○ ssh-agent.socket - OpenSSH Agent socket
Loaded: loaded (/usr/lib/systemd/user/ssh-agent.socket; enabled; preset: enabled) Active: inactive (dead)
Triggers: ● ssh-agent.service
Docs: man:ssh-agent(1)
Listen: /run/user/1000/openssh_agent (Stream)
× ssh-agent.service - OpenSSH Agent
Loaded: loaded (/usr/lib/systemd/user/ssh-agent.service; static)
Active: failed (Result: exit-code) since Fri 2025-04-18 16:26:54 CEST; 2 weeks 5 days ago Duration: 18min 13.762s
Invocation: 9e8c3dc015d64454810ba837d4433547
TriggeredBy: ○ ssh-agent.socket
Docs: man:ssh-agent(1)
Main PID: 3932465 (code=exited, status=2)
Mem peak: 1.9M
CPU: 24ms
How are you restarting the ssh-agent user service?
I used to restart it with:
systemctl --user restart ssh-agent.service
But since I got bitten by the behaviour I reported, I stopped using the systemd
unit and now start the agent directly from my user ~/.profile:
# Start SSH agent
export SSH_AUTH_SOCK="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/openssh_agent" if [ ! -e "$SSH_AUTH_SOCK" ]; then
ssh-agent -a "$SSH_AUTH_SOCK" >/dev/null
fi
For debugging purposes, I can disable that temporarily and get back to the systemd unit, maybe try to get more debug output from it.
If your output looks the same as above, can you share the output of:
systemctl --user status ssh-agent.socket ssh-agent.service
That would let me see what your local process supervisor believes is
going on with this service.
○ ssh-agent.socket - OpenSSH Agent socket
Loaded: loaded (/usr/lib/systemd/user/ssh-agent.socket; enabled; preset: enabled) Active: inactive (dead)
Triggers: ● ssh-agent.service
Docs: man:ssh-agent(1)
Listen: /run/user/1000/openssh_agent (Stream)
× ssh-agent.service - OpenSSH Agent
Loaded: loaded (/usr/lib/systemd/user/ssh-agent.service; static)
Active: failed (Result: exit-code) since Fri 2025-04-18 16:26:54 CEST; 2 weeks 5 days ago Duration: 18min 13.762s
Invocation: 9e8c3dc015d64454810ba837d4433547
TriggeredBy: ○ ssh-agent.socket
Docs: man:ssh-agent(1)
Main PID: 3932465 (code=exited, status=2)
Mem peak: 1.9M
CPU: 24ms
OK, this is just telling me that you aren't using the systemd unit any
more, right?
How are you restarting the ssh-agent user service?
I used to restart it with:
systemctl --user restart ssh-agent.service
Under what circumstances would you need to do this? I'm not saying it's wrong (it should be fine!), i'm just trying to replicate the
circumstances you found yourself in.
But since I got bitten by the behaviour I reported, I stopped using the systemd unit and now start the agent directly from my user ~/.profile:
# Start SSH agent
export SSH_AUTH_SOCK="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/openssh_agent" if [ ! -e "$SSH_AUTH_SOCK" ]; then
ssh-agent -a "$SSH_AUTH_SOCK" >/dev/null
fi
For debugging purposes, I can disable that temporarily and get back to the systemd unit, maybe try to get more debug output from it.
Yes, please do try to disable that and see what you can replicate. that would be great! I'm unable to trigger the problem you described
directly myself with the information we have so far.
To fix this use case, we just need to tell systemd that any manual
attempt to start the ssh-agent service needs to ensure that the socket
is listening first.
We can do this with the following patch to the OpenSSH package's >ssh-agent.service file:
diff --git a/debian/systemd/ssh-agent.service b/debian/systemd/ssh-agent.service
index 72e0a3e46..19ea47c91 100644
--- a/debian/systemd/ssh-agent.service
+++ b/debian/systemd/ssh-agent.service
@@ -1,6 +1,8 @@
[Unit]
Description=OpenSSH Agent
Documentation=man:ssh-agent(1)
+Requires=ssh-agent.socket
+After=ssh-agent.socket
[Service]
Environment=SSH_ASKPASS_REQUIRE=force
Here is what I did to disable my non-systemd-managed agent and run it again through systemd:
killall ssh-agent
systemctl --enable ssh-agent.service ssh-agent.socket
systemctl --user start ssh-agent.service
We can do this with the following patch to the OpenSSH package's ssh-agent.service file:
diff --git a/debian/systemd/ssh-agent.service b/debian/systemd/ssh-agent.service index 72e0a3e46..19ea47c91 100644
--- a/debian/systemd/ssh-agent.service
+++ b/debian/systemd/ssh-agent.service
@@ -1,6 +1,8 @@
[Unit]
Description=OpenSSH Agent
Documentation=man:ssh-agent(1)
+Requires=ssh-agent.socket
+After=ssh-agent.socket
[Service]
Environment=SSH_ASKPASS_REQUIRE=force
You can test this if you like by dropping a file with this contents into ~/.config/systemd/user/ssh-agent.service.d/override.conf :
```
# Added while debugging https://bugs.debian.org/1103522
[Unit]
Requires=ssh-agent.socket
After=ssh-agent.socket
```
Then do:
systemctl --user daemon-reload
systemctl --user restart ssh-agent.service
And you should see that the socket is up and the agent is listening on
the appropriate socket.
I think After= is unnecessary. systemd.socket(5) says (bearing in mind
that Before= and After= are inverses, as one might expect from their
names):
Socket units automatically gain a Before= dependency on the service
units they activate.
But adding just Requires= on its own sounds reasonable. I'll wait for confirmation from Antoine that that works, but if so then I'm willing to
try to get this into trixie.
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 481 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 09:35:28 |
| Calls: | 9,538 |
| Calls today: | 6 |
| Files: | 13,653 |
| Messages: | 6,139,125 |
| Posted today: | 1 |