After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 794631 - Spinning CPU when interacting with the ssh client when the password stored in login keyring is incorrect
Spinning CPU when interacting with the ssh client when the password stored in...
Status: RESOLVED FIXED
Product: gnome-keyring
Classification: Core
Component: ssh-agent
3.28.x
Other Linux
: Normal normal
: ---
Assigned To: GNOME keyring maintainer(s)
GNOME keyring maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2018-03-23 17:43 UTC by Iain Lane
Modified: 2018-03-25 08:07 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
login: Use password from login keyring once for the same interaction (1.92 KB, patch)
2018-03-24 14:34 UTC, Daiki Ueno 		committed Details | Review

Description Iain Lane 2018-03-23 17:43:39 UTC 
I'm running 3.28.0.1 from the Bionic package, which is the 3-28 branch up to b70a10e0953a7e0a13ca3705677aa974451e2fa1 basically.

When I ssh to my server, gnome-keyring-daemon starts spinning the CPU. ssh -vvv shows that this is the last thing to happen:

debug1: Offering public key: ECDSA SHA256:qd0wr4suhPRpZYZMy/9EPorDVrzW8Ww6sZJaJME+G80 /home/laney/.ssh/id_ecdsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ecdsa-sha2-nistp521 blen 172
debug2: input_userauth_pk_ok: fp SHA256:qd0wr4suhPRpZYZMy/9EPorDVrzW8Ww6sZJaJME+G80
debug3: sign_and_send_pubkey: ECDSA SHA256:qd0wr4suhPRpZYZMy/9EPorDVrzW8Ww6sZJaJME+G80


Here's a backtrace of what's going on at the time:
(gdb) t a a bt

+ Trace 238503

Thread 8 (Thread 0x7fcca8ff9700 (LWP 14913))

  • #0 __GI___poll
    at ../sysdeps/unix/sysv/linux/poll.c line 29
  • #1 poll
    at /usr/include/x86_64-linux-gnu/bits/poll2.h line 46
  • #2 g_poll
    at ../../../../glib/gpoll.c line 124
  • #3 g_socket_condition_timed_wait
    at ../../../../gio/gsocket.c line 4259
  • #4 g_socket_receive_with_timeout
    at ../../../../gio/gsocket.c line 3065
  • #5 g_input_stream_read
    at ../../../../gio/ginputstream.c line 198
  • #6 g_input_stream_read_all
    at ../../../../gio/ginputstream.c line 257
  • #7 _gkd_ssh_agent_read_packet
    at daemon/ssh-agent/gkd-ssh-agent-util.c line 45
  • #8 on_run
    at daemon/ssh-agent/gkd-ssh-agent-service.c line 307
  • #9 ffi_call_unix64
  • #10 ffi_call
  • #11 g_cclosure_marshal_generic_va
    at ../../../../gobject/gclosure.c line 1604
  • #12 _g_closure_invoke_va
    at ../../../../gobject/gclosure.c line 867
  • #13 g_signal_emit_valist
    at ../../../../gobject/gsignal.c line 3300
  • #14 g_signal_emit
    at ../../../../gobject/gsignal.c line 3447
  • #15 g_threaded_socket_service_func
    at ../../../../gio/gthreadedsocketservice.c line 87
  • #16 g_thread_pool_thread_proxy
    at ../../../../glib/gthreadpool.c line 307
  • #17 g_thread_proxy
    at ../../../../glib/gthread.c line 784
  • #18 start_thread
    at pthread_create.c line 463
  • #19 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 95

Thread 7 (Thread 0x7fcca97fa700 (LWP 14851))

  • #0 __GI___select
    at ../sysdeps/unix/sysv/linux/select.c line 41
  • #1 g_spawn_sync
    at ../../../../glib/gspawn.c line 384
  • #2 ensure_key
    at daemon/ssh-agent/gkd-ssh-agent-service.c line 260
  • #3 op_sign_request
    at daemon/ssh-agent/gkd-ssh-agent-service.c line 590
  • #4 handle_request
    at daemon/ssh-agent/gkd-ssh-agent-service.c line 192
  • #5 on_run
    at daemon/ssh-agent/gkd-ssh-agent-service.c line 317
  • #6 ffi_call_unix64
  • #7 ffi_call
  • #8 g_cclosure_marshal_generic_va
    at ../../../../gobject/gclosure.c line 1604
  • #9 _g_closure_invoke_va
    at ../../../../gobject/gclosure.c line 867
  • #10 g_signal_emit_valist
    at ../../../../gobject/gsignal.c line 3300
  • #11 g_signal_emit
    at ../../../../gobject/gsignal.c line 3447
  • #12 g_threaded_socket_service_func
    at ../../../../gio/gthreadedsocketservice.c line 87
  • #13 g_thread_pool_thread_proxy
    at ../../../../glib/gthreadpool.c line 307
  • #14 g_thread_proxy
    at ../../../../glib/gthread.c line 784
  • #15 start_thread
    at pthread_create.c line 463
  • #16 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 95

Thread 6 (Thread 0x7fccaa7fc700 (LWP 7884))

  • #0 __GI___poll
    at ../sysdeps/unix/sysv/linux/poll.c line 29
  • #1 poll
    at /usr/include/x86_64-linux-gnu/bits/poll2.h line 46
  • #2 g_poll
    at ../../../../glib/gpoll.c line 124
  • #3 g_socket_condition_timed_wait
    at ../../../../gio/gsocket.c line 4259
  • #4 g_socket_receive_with_timeout
    at ../../../../gio/gsocket.c line 3065
  • #5 g_input_stream_read
    at ../../../../gio/ginputstream.c line 198
  • #6 g_input_stream_read_all
    at ../../../../gio/ginputstream.c line 257
  • #7 _gkd_ssh_agent_read_packet
    at daemon/ssh-agent/gkd-ssh-agent-util.c line 45
  • #8 on_run
    at daemon/ssh-agent/gkd-ssh-agent-service.c line 307
  • #9 ffi_call_unix64
  • #10 ffi_call
  • #11 g_cclosure_marshal_generic_va
    at ../../../../gobject/gclosure.c line 1604
  • #12 _g_closure_invoke_va
    at ../../../../gobject/gclosure.c line 867
  • #13 g_signal_emit_valist
    at ../../../../gobject/gsignal.c line 3300
  • #14 g_signal_emit
    at ../../../../gobject/gsignal.c line 3447
  • #15 g_threaded_socket_service_func
    at ../../../../gio/gthreadedsocketservice.c line 87
  • #16 g_thread_pool_thread_proxy
    at ../../../../glib/gthreadpool.c line 307
  • #17 g_thread_proxy
    at ../../../../glib/gthread.c line 784
  • #18 start_thread
    at pthread_create.c line 463
  • #19 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 95

Thread 5 (Thread 0x7fccaaffd700 (LWP 7761))

  • #0 __GI___select
    at ../sysdeps/unix/sysv/linux/select.c line 41
  • #1 g_spawn_sync
    at ../../../../glib/gspawn.c line 384
  • #2 ensure_key
    at daemon/ssh-agent/gkd-ssh-agent-service.c line 260
  • #3 op_sign_request
    at daemon/ssh-agent/gkd-ssh-agent-service.c line 590
  • #4 handle_request
    at daemon/ssh-agent/gkd-ssh-agent-service.c line 192
  • #5 on_run
    at daemon/ssh-agent/gkd-ssh-agent-service.c line 317
  • #6 ffi_call_unix64
  • #7 ffi_call
  • #8 g_cclosure_marshal_generic_va
    at ../../../../gobject/gclosure.c line 1604
  • #9 _g_closure_invoke_va
    at ../../../../gobject/gclosure.c line 867
  • #10 g_signal_emit_valist
    at ../../../../gobject/gsignal.c line 3300
  • #11 g_signal_emit
    at ../../../../gobject/gsignal.c line 3447
  • #12 g_threaded_socket_service_func
    at ../../../../gio/gthreadedsocketservice.c line 87
  • #13 g_thread_pool_thread_proxy
    at ../../../../glib/gthreadpool.c line 307
  • #14 g_thread_proxy
    at ../../../../glib/gthread.c line 784
  • #15 start_thread
    at pthread_create.c line 463
  • #16 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 95 

and in pstree I can see

  |-gnome-keyring-d --daemonize --login
  |   |-ssh-add /home/laney/.ssh/id_ecdsa
  |   |   `-gcr-ssh-askpass Bad passphrase, try again for /home/laney/.ssh/id_ecdsa: 
  |   |-ssh-add /home/laney/.ssh/id_ecdsa
  |   |   `-gcr-ssh-askpass Bad passphrase, try again for /home/laney/.ssh/id_ecdsa: 
  |   |-ssh-agent -D -a /run/user/1000/keyring/.ssh

so I'm guessing that *somehow* we got a bad password stored. I'll go away and delete the keys from seahorse now and see what happens.
Comment 1 Iain Lane 2018-03-23 17:55:54 UTC 
Yes, it works after deleting the keys and then re-adding.
Comment 2 Daiki Ueno 2018-03-23 19:18:04 UTC 
Do you happen to have any additional clue in the journal (journalctr -r)?
Comment 3 Daiki Ueno 2018-03-23 19:38:54 UTC 
Also I would like to clarify how you interacted with gnome-keyring:
- Did you previously save the password for the key in question, by checking the "Automatically unlock ..." checkbox? If so, do you remember which version of gnome-keyring you used at that time?
- Now, when you saw the issue, did you also see the prompt shown on your screen?
Comment 4 Iain Lane 2018-03-23 22:05:12 UTC 
(In reply to Daiki Ueno from comment #2)
> Do you happen to have any additional clue in the journal (journalctr -r)?

I can't see anything interesting (journalctl -b-1 | grep keyring), except maybe

Mar 23 17:31:51 nightingale gnome-keyring-daemon[3515]: couldn't allocate secure memory to keep passwords and or keys from being written to the disk
Mar 23 17:31:51 nightingale gnome-keyring-daemon[3515]: asked to register item /org/freedesktop/secrets/collection/login/25, but it's already registered
Mar 23 17:50:30 nightingale goa-daemon[3689]: /org/gnome/OnlineAccounts/Accounts/account_1497963525_0: Setting AttentionNeeded to TRUE because EnsureCredentials() failed with: Failed to retrieve credentials from the keyring (goa-error-quark, 4)

?

(In reply to Daiki Ueno from comment #3)
> Also I would like to clarify how you interacted with gnome-keyring:
> - Did you previously save the password for the key in question, by checking
> the "Automatically unlock ..." checkbox? If so, do you remember which
> version of gnome-keyring you used at that time?

Yes, I did. I had a bug (fixed in the gnome-3-28 commits?) where, when I upgraded to 3.27.4, my previous keys from gnome-keyring prior to the recent SSH reworking weren't unlocked. I deleted those from seahorse and then asked gnome-keyring to save them. Then when I got 3.28 - both with and without the changes from the gnome-3-28 branch (I tried both) - I experienced this bug.

> - Now, when you saw the issue, did you also see the prompt shown on your
> screen?

No, no prompt at all. The SSH attempt hung, and I noticed that g-k-d was using all of one core.
Comment 5 Daiki Ueno 2018-03-24 14:34:01 UTC 
(In reply to Iain Lane from comment #4)
> (In reply to Daiki Ueno from comment #2)
> > Do you happen to have any additional clue in the journal (journalctr -r)?
> 
> I can't see anything interesting (journalctl -b-1 | grep keyring), except
> maybe
> 
> Mar 23 17:31:51 nightingale gnome-keyring-daemon[3515]: couldn't allocate
> secure memory to keep passwords and or keys from being written to the disk

This looks strange, but explains that it retrieves a garbage as a password.
Nevertheless, it is a bug that gnome-keyring doesn't give up and prompt user if a wrong password is stored in the login keyring.  I will attach a patch.
Comment 6 Daiki Ueno 2018-03-24 14:34:50 UTC 
Created attachment 370088 [details] [review]
login: Use password from login keyring once for the same interaction
Comment 7 Daiki Ueno 2018-03-25 07:20:06 UTC 
Attachment 370088 [details] pushed as a0526d1 - login: Use password from login keyring once for the same interaction