SSH Hack - Block KDE ssh-agent Autostart

I’m not using the ssh-agent and something is causing it to autostart in Debian 12.5 with KDE Plasma. The process displayed in HTOP is:

ssh-agent -D -a /run/user/1000/openssh_agent

I took the extreme measure of moving /usr/bin/ssh-agent to /usr/bin/maybelater and that prevents the autostart but there must be some config which is starting it and I would like to update the config which performs the autostart.

Thanks.

On a systemd system like Debian, best way to understand why something is running is to figure out what slice/service/app is running it - using the command line tool sysetmd-cgls.

This will show you a tree of all the things running on your system (under systemd) an who owns what. For example:

In the screenshot we can see that Eclipse is running under the plasmashell service.

2 Likes

Thanks Guss :grinning:

sysetmd-cgls shows “ssh-agent -D -a /run/user/1000/openssh_agent” is started by ssh-agent.service.

systemd-cgls

│   │ ├─app.slice (#2567)
│   │ │ ├─app-org.kde.konsole-46e66307b4b14c67866b2c3fe8d85338.scope (#4030)
│   │ │ │ ├─842 /usr/bin/konsole
│   │ │ │ ├─846 /bin/bash
│   │ │ │ ├─851 systemd-cgls
│   │ │ │ └─852 pager
│   │ │ └─ssh-agent.service (#2977)
│   │ │   └─691 ssh-agent -D -a /run/user/1000/openssh_agent

I tried searching for ssh-agent.service using:

systemctl --type=service | grep ssh-agent.service
systemctl | grep ssh-agent.service

and ssh-agent.service was not found. I next tried masking ssh-agent.service:

systemctl mask ssh-agent.service
Unit ssh-agent.service does not exist, proceeding anyway.
Created symlink /etc/systemd/system/ssh-agent.service → /dev/null.
sudo systemctl mask ssh-agent.service

After rebooting HTOP still displayed “ssh-agent -D -a /run/user/1000/openssh_agent” and sysetmd-cgls still shows “ssh-agent -D -a /run/user/1000/openssh_agent” is started by ssh-agent.service.

Should sysetmd-cgls still show “ssh-agent -D -a /run/user/1000/openssh_agent” after the systemctl mask?

Thanks :grinning:

The commands you tried to run are commands to change the system configuration, though the ssh agent is a user service - so it wouldn’t work on it and systemctl should have shown appropriate error messages.

To disable the ssh agent user service run:

systemctl --user disable --now ssh-agent.service
3 Likes

Thanks Guss :grinning:

systemctl --user disable --now ssh-agent.service

Stopped the service and I used this to prevent it from starting after reboot.

systemctl --user --now mask ssh-agent.service

I also tried this to display user services which seems to work.

systemctl --user

After that I wanted to know which services have been masked and found this:

systemctl list-unit-files --state=masked

That list led to what are these unit-files and where are they located? I found them in /lib/systemd/system and /lib/systemd/user. These unit-files with names corresponding to the service names show details such as service invocation.

Thanks so much more sharing this info with me.

I do not recommend masking units as a way to prevent services from starting automatically - that is what disable is for. Specifically disable --now will stop the service and also disable it.

The main difference between “masking” and “disabling” is that if you ever want to start the service manually - a disabled service will start while a masked service will cause an error. The practice of masking should be avoided as much as possible as it’s main effect is causing errors.

If you are curious about systemd units and how they are located and parsed, I recommend running man:systemd.unit from your application launcher.

2 Likes

Great points Guss :grinning:

man systemd.unit has an interesting topic, garbage collection, in which I’ve been interested. I’ve noticed memory consumption before running an app and after running an app often increases beyond the initial memory consumption. It seems that some apps like Libre Calc do a great job of cleaning memory they’ve consumed. Thanks for sharing. Maybe I’ll be able to increase the garbage collection aggressiveness.

I had to revert to masking ssh-agent.service as I didn’t want it to run after reboot:

systemctl --user --now disable ssh-agent.service

After reboot:

systemd-cgls

│   │ ├─app.slice (#2528)
│   │ │ ├─app-org.kde.konsole-7ac932096df34b4aa8ea8d022bcb7576.scope (#3952)
│   │ │ │ ├─831 /usr/bin/konsole
│   │ │ │ ├─835 /bin/bash
│   │ │ │ ├─838 htop
│   │ │ │ ├─841 /bin/bash
│   │ │ │ ├─847 systemd-cgls
│   │ │ │ └─848 pager
│   │ │ └─ssh-agent.service (#2938)
│   │ │   └─689 ssh-agent -D -a /run/user/1000/openssh_agent

Do you know if there is a way to modify app.slice to prevent it from starting ssh-agent.service other than masking ssh-agent.service?

Thanks :grinning:

It is useful to understand what the terms mean: a “slice” is just a namespace for controlling resource allocation to a group of processes (see man:/systemd.slice for more details) and it doesn’t start stuff by itself - when stuff starts, it gets put into a slice. System services get put into the system.slice while user stuff gets put into the user.slice that is then sub-sliced into a slice per user, in it there’s the app.slice, the background.slice, the session.slice, and probably a few others.

If you do systemctl --user status ssh-agent.service and it actually says in the Loaded: line - disabled (not for the vendor preset, the one before that), then something must have requested systemd to start it.

You can look at the dependency list and see if something depends on ssh-agent in the systemd unit tree by running systemctl --user list-dependencies - this will draw a tree and you can see if ssh-agent.service is listed there somewhere. For example:

$ systemctl --user list-dependencies 
default.target
● ├─activity-monitor.service
…
● └─basic.target
…
●   └─timers.target
●     ├─google-chrome-backup.timer
●     ├─restic-backup.timer

My backup timers are started by the “timers target”.

The other thing that you can do is to look at the systemd log for your user and see if there are any logs that explain why ssh-agent was started, or at least when it was started and you can see what happened before and after: journalctl --user _COMM=systemd

1 Like

Guss this is such great content! Thank you very much for sharing :grinning:

“systemctl --user list-dependencies” does show several items under sockets.target which seem to be wrappers for ssh-agent based upon what I’m seeing in “journalctl --user _COMM=systemd | grep ssh-agent” shown below.

Is there a way to configure sockets.target to remove the gcr-ssh-agent.socket and gpg-agent-* dependencies?

Thanks :grinning:

Output shows ssh-agent is running and not listed in dependencies.

HTOP Result:
7804  20   0 S  0:00.00     991  4432  0.1   0.0  5080 ssh-agent -D -a /run/user/1000/openssh_agent

systemctl --user list-dependencies

default.target
● ├─pipewire-pulse.service
● ├─pipewire.service
○ ├─tracker-extract-3.service
● └─basic.target
●   ├─paths.target
●   ├─sockets.target
●   │ ├─dbus.socket
●   │ ├─dirmngr.socket
○   │ ├─gcr-ssh-agent.socket
×   │ ├─gnome-keyring-daemon.socket
●   │ ├─gpg-agent-browser.socket
●   │ ├─gpg-agent-extra.socket
●   │ ├─gpg-agent-ssh.socket
●   │ ├─gpg-agent.socket
●   │ ├─pipewire-pulse.socket
●   │ ├─pipewire.socket
●   │ └─pk-debconf-helper.socket
●   └─timers.target

systemctl list-dependencies

default.target
● ├─accounts-daemon.service
● ├─gdm.service
○ ├─power-profiles-daemon.service
○ ├─switcheroo-control.service
○ ├─systemd-update-utmp-runlevel.service
● ├─udisks2.service
● └─multi-user.target
○   ├─anacron.service
○   ├─avahi-daemon.service
●   ├─console-setup.service
○   ├─cron.service
○   ├─cups-browsed.service
○   ├─cups.path
○   ├─cups.service
●   ├─dbus.service
○   ├─e2scrub_reap.service
○   ├─ModemManager.service
●   ├─networking.service
●   ├─NetworkManager.service
●   ├─plymouth-quit-wait.service
○   ├─plymouth-quit.service
●   ├─systemd-ask-password-wall.path
●   ├─systemd-logind.service
○   ├─systemd-update-utmp-runlevel.service
●   ├─systemd-user-sessions.service
●   ├─vboxadd-service.service
○   ├─vboxadd.service
●   ├─wpa_supplicant.service
●   ├─basic.target
●   │ ├─-.mount
○   │ ├─low-memory-monitor.service
○   │ ├─tmp.mount
●   │ ├─paths.target
●   │ ├─slices.target
●   │ │ ├─-.slice
●   │ │ └─system.slice
●   │ ├─sockets.target
○   │ │ ├─avahi-daemon.socket
○   │ │ ├─cups.socket
●   │ │ ├─dbus.socket
●   │ │ ├─systemd-initctl.socket
●   │ │ ├─systemd-journald-audit.socket
●   │ │ ├─systemd-journald-dev-log.socket
●   │ │ ├─systemd-journald.socket
●   │ │ ├─systemd-udevd-control.socket
●   │ │ └─systemd-udevd-kernel.socket
●   │ ├─sysinit.target
●   │ │ ├─apparmor.service
●   │ │ ├─dev-hugepages.mount
●   │ │ ├─dev-mqueue.mount
●   │ │ ├─keyboard-setup.service
●   │ │ ├─kmod-static-nodes.service
●   │ │ ├─plymouth-read-write.service
●   │ │ ├─plymouth-start.service
●   │ │ ├─proc-sys-fs-binfmt_misc.automount
●   │ │ ├─sys-fs-fuse-connections.mount
●   │ │ ├─sys-kernel-config.mount
●   │ │ ├─sys-kernel-debug.mount
●   │ │ ├─sys-kernel-tracing.mount
○   │ │ ├─systemd-ask-password-console.path
●   │ │ ├─systemd-binfmt.service
○   │ │ ├─systemd-firstboot.service
●   │ │ ├─systemd-journal-flush.service
●   │ │ ├─systemd-journald.service
○   │ │ ├─systemd-machine-id-commit.service
●   │ │ ├─systemd-modules-load.service
○   │ │ ├─systemd-pcrphase-sysinit.service
○   │ │ ├─systemd-pcrphase.service
○   │ │ ├─systemd-pstore.service
●   │ │ ├─systemd-random-seed.service
○   │ │ ├─systemd-repart.service
●   │ │ ├─systemd-sysctl.service
●   │ │ ├─systemd-sysusers.service
○   │ │ ├─systemd-timesyncd.service
●   │ │ ├─systemd-tmpfiles-setup-dev.service
●   │ │ ├─systemd-tmpfiles-setup.service
●   │ │ ├─systemd-udev-trigger.service
●   │ │ ├─systemd-udevd.service
●   │ │ ├─systemd-update-utmp.service
●   │ │ ├─cryptsetup.target
●   │ │ ├─integritysetup.target
●   │ │ ├─local-fs.target
●   │ │ │ ├─-.mount
○   │ │ │ ├─systemd-fsck-root.service
●   │ │ │ └─systemd-remount-fs.service
●   │ │ ├─swap.target
●   │ │ │ └─dev-disk-by\x2duuid-9c824eed\x2de5be\x2d4c2f\x2d96fe\x2dad797467a36e.…
●   │ │ └─veritysetup.target
●   │ └─timers.target
○   │   ├─anacron.timer
●   │   ├─apt-daily-upgrade.timer
●   │   ├─apt-daily.timer
●   │   ├─dpkg-db-backup.timer
●   │   ├─e2scrub_all.timer
●   │   ├─fstrim.timer
●   │   ├─fwupd-refresh.timer
●   │   ├─logrotate.timer
●   │   ├─man-db.timer
●   │   └─systemd-tmpfiles-clean.timer
●   ├─getty.target
○   │ ├─getty-static.service
○   │ └─getty@tty1.service
●   └─remote-fs.target

Output shows several sockets appear to “wrap” ssh-agent.

journalctl --user _COMM=systemd | grep ssh-agent

Jul 08 03:02:57 happy systemd[1856]: Listening on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 03:02:57 happy systemd[1856]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 03:02:58 happy systemd[1856]: Started gcr-ssh-agent.service - GCR ssh-agent wrapper.
Jul 08 03:02:58 happy systemd[1856]: Started ssh-agent.service - OpenSSH Agent.
Jul 08 03:08:07 happy systemd[1856]: Stopping gcr-ssh-agent.service - GCR ssh-agent wrapper...
Jul 08 03:08:07 happy systemd[1856]: Stopping ssh-agent.service - OpenSSH Agent...
Jul 08 03:08:07 happy systemd[1856]: Stopped gcr-ssh-agent.service - GCR ssh-agent wrapper.
Jul 08 03:08:07 happy systemd[1856]: ssh-agent.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jul 08 03:08:07 happy systemd[1856]: ssh-agent.service: Control process exited, code=exited, status=71/OSERR
Jul 08 03:08:07 happy systemd[1856]: ssh-agent.service: Failed with result 'exit-code'.
Jul 08 03:08:07 happy systemd[1856]: Stopped ssh-agent.service - OpenSSH Agent.
Jul 08 03:08:07 happy systemd[1856]: Closed gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 03:08:07 happy systemd[1856]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 03:08:50 happy systemd[1921]: Listening on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 03:08:50 happy systemd[1921]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 03:08:50 happy systemd[1921]: Started gcr-ssh-agent.service - GCR ssh-agent wrapper.
Jul 08 03:08:50 happy systemd[1921]: Started ssh-agent.service - OpenSSH Agent.
Jul 08 03:11:42 happy systemd[1921]: Stopping gcr-ssh-agent.service - GCR ssh-agent wrapper...
Jul 08 03:11:42 happy systemd[1921]: Stopping ssh-agent.service - OpenSSH Agent...
Jul 08 03:11:42 happy systemd[1921]: Stopped gcr-ssh-agent.service - GCR ssh-agent wrapper.
Jul 08 03:11:42 happy systemd[1921]: ssh-agent.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jul 08 03:11:42 happy systemd[1921]: ssh-agent.service: Control process exited, code=exited, status=71/OSERR
Jul 08 03:11:42 happy systemd[1921]: ssh-agent.service: Failed with result 'exit-code'.
Jul 08 03:11:42 happy systemd[1921]: Stopped ssh-agent.service - OpenSSH Agent.
Jul 08 03:11:42 happy systemd[1921]: Closed gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 03:11:42 happy systemd[1921]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 03:12:43 happy systemd[1922]: Listening on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 03:12:43 happy systemd[1922]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 03:12:43 happy systemd[1922]: Started gcr-ssh-agent.service - GCR ssh-agent wrapper.
Jul 08 03:12:43 happy systemd[1922]: Started ssh-agent.service - OpenSSH Agent.
Jul 08 04:32:35 happy systemd[1922]: Stopping gcr-ssh-agent.service - GCR ssh-agent wrapper...
Jul 08 04:32:35 happy systemd[1922]: Stopping ssh-agent.service - OpenSSH Agent...
Jul 08 04:32:35 happy systemd[1922]: Stopped gcr-ssh-agent.service - GCR ssh-agent wrapper.
Jul 08 04:32:35 happy systemd[1922]: ssh-agent.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jul 08 04:32:35 happy systemd[1922]: ssh-agent.service: Control process exited, code=exited, status=71/OSERR
Jul 08 04:32:35 happy systemd[1922]: ssh-agent.service: Failed with result 'exit-code'.
Jul 08 04:32:35 happy systemd[1922]: Stopped ssh-agent.service - OpenSSH Agent.
Jul 08 04:32:35 happy systemd[1922]: Closed gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 04:32:35 happy systemd[1922]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 04:40:30 happy systemd[1924]: Listening on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 04:40:30 happy systemd[1924]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 04:40:31 happy systemd[1924]: Started gcr-ssh-agent.service - GCR ssh-agent wrapper.
Jul 08 04:40:31 happy systemd[1924]: Started ssh-agent.service - OpenSSH Agent.
Jul 08 04:48:09 happy systemd[1924]: Closed gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 04:48:09 happy systemd[1924]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 04:48:30 happy systemd[881]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 04:48:30 happy systemd[881]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 04:48:30 happy systemd[881]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 04:49:59 happy systemd[881]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 04:50:19 happy systemd[879]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 04:50:19 happy systemd[879]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 04:50:19 happy systemd[879]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 04:54:50 happy systemd[879]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 04:55:11 happy systemd[877]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 04:55:11 happy systemd[877]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 04:55:11 happy systemd[877]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 04:58:08 happy systemd[877]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 04:58:27 happy systemd[878]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 04:58:27 happy systemd[878]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 04:58:27 happy systemd[878]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 05:00:02 happy systemd[878]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 05:00:26 happy systemd[878]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 05:00:26 happy systemd[878]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 05:00:26 happy systemd[878]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 05:02:26 happy systemd[878]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 05:02:49 happy systemd[878]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 05:02:49 happy systemd[878]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 05:02:49 happy systemd[878]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 05:12:44 happy systemd[878]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 05:13:06 happy systemd[881]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 05:13:06 happy systemd[881]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 05:13:06 happy systemd[881]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 05:16:09 happy systemd[881]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 05:16:30 happy systemd[877]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 05:16:30 happy systemd[877]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 05:16:30 happy systemd[877]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 06:16:37 happy systemd[877]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 06:16:59 happy systemd[878]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 06:16:59 happy systemd[878]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 06:16:59 happy systemd[878]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 06:32:53 happy systemd[878]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 14:39:52 happy systemd[877]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 14:39:52 happy systemd[877]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 14:39:52 happy systemd[877]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 14:43:44 happy systemd[877]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 14:44:07 happy systemd[878]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 14:44:07 happy systemd[878]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 14:44:07 happy systemd[878]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 14:44:09 happy systemd[878]: Started ssh-agent.service - OpenSSH Agent.
Jul 08 15:21:09 happy systemd[878]: Stopping ssh-agent.service - OpenSSH Agent...
Jul 08 15:21:09 happy systemd[878]: ssh-agent.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jul 08 15:21:09 happy systemd[878]: ssh-agent.service: Control process exited, code=exited, status=71/OSERR
Jul 08 15:21:09 happy systemd[878]: ssh-agent.service: Failed with result 'exit-code'.
Jul 08 15:21:09 happy systemd[878]: Stopped ssh-agent.service - OpenSSH Agent.
Jul 08 15:21:09 happy systemd[878]: Closed gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 15:21:32 happy systemd[878]: gcr-ssh-agent.socket: Socket service gcr-ssh-agent.service not loaded, refusing.
Jul 08 15:21:32 happy systemd[878]: Failed to listen on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
Jul 08 15:21:32 happy systemd[878]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Jul 08 15:21:34 happy systemd[878]: Started ssh-agent.service - OpenSSH Agent.

OK, the problem I had with this thread is that this is a very different setup than what I have here on jammy-based Neon. I have gnome-keyring 40 installed and that provides the ssh-agent functionality through the static user service gnome-keyring-ssh.service.

On Debian 12, they use gnome-keyring 42, where - as far as I understand - the SSH agent functionality has been moved to gcr-ssh-agent that is implemented as a systemd socket that runs the gcr-ssh-agent.service (if you do systemctl --user cat gcr-ssh-agent.socket you don’t see Service= option, which means that when a client connects to the socket it launches a service unit with the same base name).

We can see gcr-ssh-agent.service launched by the socket at 03:02:58 in your log (I’m assuming this is part of the session start process where you are running something that connects to the SSH agent). As far as I can tell - this service does not run the OpenSSH client’s ssh-agent.service or runs the OpenSSH agent in any other manner - it implements its own SSH agent API on top of the GNOME keyring service.

Debian 12 also has a socket unit gpg-agent-ssh.socket that is part of the gpg-agent package that starts the gpg-agent.service (use systemctl --user cat and you can see it is listed explicitly) that apparently uses gpg-agent to also implement the SSH agent protocol (though I think it is missing a require option to enable that, so I’m not sure it actually works. I haven’t tested it). Again this does not actually start the OpenSSH agent using the ssh-agent.service systemd unit or otherwise - gpg-agent also has a complete internal SSH agent implementation. We can see its socket starts at 03:02:57 in your log but no one connects to it so the service does not start.

So none of these immediate suspects are implicated in starting ssh-agent.service so the question - what is starting it? The answer is that I believe I was hasty in declaring the systemctl disable is the answer and systemctl mask is never a good idea, and that may not be true:

The OpenSSH client installs its ssh-agent into as a required service in the graphical session, as can be seen by listing its package content:

$ dpkg -L openssh-client | grep systemd
/usr/lib/systemd
/usr/lib/systemd/user
/usr/lib/systemd/user/graphical-session-pre.target.wants
/usr/lib/systemd/user/ssh-agent.service
/usr/lib/systemd/user/graphical-session-pre.target.wants/ssh-agent.service

Because the dependency is written into the system, you can’t modify it with user tools (such as systemctl --user) - I’m not sure why list-dependencies doesn’t list it, I may misunderstood what its supposed to do. You can see the fact that ssh-agent.service is hard-coded into the session if you run:

$ systemctl --user status ssh-agent.service
ssh-agent.service - OpenSSH Agent
    Loaded: loaded (/usr/lib/systemd/user/ssh-agent.service, static)
    Active: inactive (dead)

The static part in the Loaded property means exactly that - it is static in the system and you cannot disable or enable it with your user tools. If you try systemctl --user disable ssh-agent.service, the tool won’t say anything, but it will not actually disable the service and will return an exit code of 1 (meaning “error”) and running systemctl --user is-enabled ssh-agent.service will still say “static”.

So yes - the only solution for preventing a static unit from starting is to mask it.

I should have tested this more - on my system ssh-agent.service also exists and is “static”, but it isn’t actually running - I’m not sure why - it starts and then stops with no logs, probably there’s already an SSH agent implementation by the GNOME Keyring running - but I don’t understand the mechanism yet.

1 Like

Hi Guss :grinning:

Thanks for looking into this. Masking works fine for me so I’m good to go.

Thanks again :grinning: