search

FiloSottile / yubikey-agent

yubikey-agent is a seamless ssh-agent for YubiKeys.
https://filippo.io/yubikey-agent
BSD 3-Clause "New" or "Revised" License
2.65k stars 129 forks source link

yubikey-agent service fails to start #83

Closed drod3763 closed 3 years ago

drod3763 commented 3 years ago

I installed the AUR package for yubikey-agent on Arch. I can't get the yubikey-agent service to start.

❯ systemctl --user status yubikey-agent.service
● yubikey-agent.service - Seamless ssh-agent for YubiKeys
     Loaded: loaded (/usr/lib/systemd/user/yubikey-agent.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Tue 2021-03-30 20:02:57 EDT; 18s ago
       Docs: https://filippo.io/yubikey-agent
    Process: 427198 ExecStart=/usr/bin/yubikey-agent -l /run/user/1000/yubikey-agent/yubikey-agent.sock (code=exited, status=226/NAMESPACE)
   Main PID: 427198 (code=exited, status=226/NAMESPACE)

Mar 30 20:02:57 archlinux systemd[4305]: Started Seamless ssh-agent for YubiKeys.
Mar 30 20:02:57 archlinux yubikey-agent[427198]: yubikey-agent.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc: Operation not permitted
Mar 30 20:02:57 archlinux systemd[427198]: yubikey-agent.service: Failed at step NAMESPACE spawning /usr/bin/yubikey-agent: Operation not permitted
Mar 30 20:02:57 archlinux systemd[4305]: yubikey-agent.service: Main process exited, code=exited, status=226/NAMESPACE
Mar 30 20:02:57 archlinux systemd[4305]: yubikey-agent.service: Failed with result 'exit-code'.

Any idea what my next step should be?

drod3763 commented 3 years ago

Ok I seemed to have solved the problem, but perhaps it wasn't the correct way. This is the systemd file I got from AUR:

[Unit]
Description=Seamless ssh-agent for YubiKeys
Documentation=https://filippo.io/yubikey-agent

[Service]
ExecStart=/usr/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
ExecReload=/bin/kill -HUP $MAINPID
ProtectSystem=strict
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
ProtectClock=yes
ProtectHostname=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
CapabilityBoundingSet=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
NoNewPrivileges=yes
KeyringMode=private
UMask=0177
RuntimeDirectory=yubikey-agent

[Install]
WantedBy=default.target

I removed all the extra entries - mostly the "Protect" ones ending up with the below:

[Unit]
Description=Seamless ssh-agent for YubiKeys
Documentation=https://filippo.io/yubikey-agent

[Service]
ExecStart=/usr/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
ExecReload=/bin/kill -HUP $MAINPID
IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
NoNewPrivileges=yes
KeyringMode=private
UMask=0177
RuntimeDirectory=yubikey-agent

[Install]
WantedBy=default.target

This matches the file located here: https://github.com/FiloSottile/yubikey-agent/blob/main/contrib/systemd/user/yubikey-agent.service

I ran systemctl daemon-reload and systemctl --user restart yubikey-agent.service and it works now. I'm just not sure if that's the correct solution or if there is a good reason for that file to have extra entries on install.

LeSuisse commented 3 years ago

AUR package now uses (since 0.1.3-4) the same service file than the one provided in the repo. This issue can probably be closed because it is not an issue caused by yubikey-agent.