Closed drod3763 closed 3 years ago
Ok I seemed to have solved the problem, but perhaps it wasn't the correct way. This is the systemd file I got from AUR:
[Unit]
Description=Seamless ssh-agent for YubiKeys
Documentation=https://filippo.io/yubikey-agent
[Service]
ExecStart=/usr/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
ExecReload=/bin/kill -HUP $MAINPID
ProtectSystem=strict
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
ProtectClock=yes
ProtectHostname=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
CapabilityBoundingSet=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
NoNewPrivileges=yes
KeyringMode=private
UMask=0177
RuntimeDirectory=yubikey-agent
[Install]
WantedBy=default.target
I removed all the extra entries - mostly the "Protect" ones ending up with the below:
[Unit]
Description=Seamless ssh-agent for YubiKeys
Documentation=https://filippo.io/yubikey-agent
[Service]
ExecStart=/usr/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
ExecReload=/bin/kill -HUP $MAINPID
IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
NoNewPrivileges=yes
KeyringMode=private
UMask=0177
RuntimeDirectory=yubikey-agent
[Install]
WantedBy=default.target
This matches the file located here: https://github.com/FiloSottile/yubikey-agent/blob/main/contrib/systemd/user/yubikey-agent.service
I ran systemctl daemon-reload
and systemctl --user restart yubikey-agent.service
and it works now. I'm just not sure if that's the correct solution or if there is a good reason for that file to have extra entries on install.
AUR package now uses (since 0.1.3-4) the same service file than the one provided in the repo. This issue can probably be closed because it is not an issue caused by yubikey-agent.
I installed the AUR package for yubikey-agent on Arch. I can't get the yubikey-agent service to start.
Any idea what my next step should be?