New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plist not loaded on macOS 10.14 Mojave #23
Comments
I used to have a similar problem, but not sure in which version of macOS that was. I couldn't reproduce it on other macs and could work around it by disabling other auto-starting application and booting without a network connection. Thought it was a race condition of some kind. Solved by time (or a minor macOS upgrade…). Seems like you are using the manual installation. I upgraded my computer to Mojave yesterday and |
yes, I've used the manual method. I'm now upgrading my other machine to 10.14 so I'll try it there as the update finishes and let you know (I can try the homebrew method there). I'll try to debug it further, I'm missing one thing about this - do you have a clue how the "on-demand" execution of Btw, it also happened once on the 10.13.6 during my testing that the system plist was loaded first, i logged out, logged back in and it loaded the user one after .. so it seems like it's pretty .. fragile :) |
Sorry but I have no idea how the magic works. 🙁 If you find something useful I'm all ears. This issue also appeared in my 10.14.0 when I logged out and then logged in again. After a reboot everything was fine again. Can't reproduce it again… Hello race condition. |
On Tue, 2018-09-25 at 00:55:07 -0700, Lukas Kuzmiak wrote:
[…]
I'll try to debug it further, I'm missing one thing about this - do you
have a clue how the "on-demand" execution of `ssh-agent` works? Like
how is it triggered exactly. The plist is loaded on login I suppose but
`ssh-agent` only appears in process list once something (`ssh-add` or
`ssh` or other process) somehow tries to talk to it.
If I've understood it correctly; launchd sets the environment variable
SSH_AUTH_SOCK to a "listen" socket which launchd listens on until
someone tries to talk to the socket. launchd then starts the application
specified in the plist and redirect e.g. ssh-add's communication to
ssh-agent.
I'm hoping that might help come up with a solution that would avoid the
race condition.
Btw, it also happened once on the 10.13.6 during my testing that the
system plist was loaded first, i logged out, logged back in and it
loaded the user one after .. so it seems like it's pretty .. fragile :)
I that exact race condition too. Can you try to:
* Install via the Homebrew instructions
* Restart your computer
* Login to your computer
* Run `ssh-add -l; launchctl list | grep ssh` and paste the output here.
* Log out and login again
* Run `ssh-add -l; launchctl list | grep ssh` and paste the output here.
@theseal on the other hand has the exact opposite problem: it works
after boot but not if he logs out and in again = D
Race conditions are funny things eh!? At least this one is sort of
deterministic…
I sadly have no idea how to solve this except loging into single user
mode, remove SIP, disable the com.openssh.ssh-agent plist, enable SIP,
reboot and live happily ever after...
|
so I got a new computer and had to set this up again. Same exact thing as before. The system plist is loaded first, I tried MANY times and did not see the homebrew one loaded as first at all. But I found a little easier way to edit/disable the system one. When you reboot into recovery you can launch Disk Utility, mount the hard drive, exit disk utility, Tools -> Terminal and do whatever you need without removing SIP, rebooting, editing, rebooting, enabling SIP, rebooting .. so save a bunch of time rebooting :-) Anybody else can share their experience on Mojave? Do you think it is better to disable the system one or edit it to contain the SSH_ASKPASS + DISPLAY? |
@lukaskuzmiak But logging out and logging in still makes it use the homebrew one? |
@simmel did not see that happen in my case, not sure what could be influencing it. |
What happens if you run Edit: |
Sorry, I don't have a system to test it with at the moment, I'll try to get back to this but if anybody can give it a shot or report a working Mojave setup that'd help. EDIT: my co-worker reported that the system plist is not there unless you have Xcode installed (or maybe just Xcode command line tools), no way to verify this atm, feel free to post if you see a correlation there. |
TL;DR:
Then reboots. The main point is, how to set the correct If I run If I run Manually copy the plist into Run
Actually there are two agents waiting and the one which is accessed by client is activated by launchd. Whichever one is okay because the two are identical. In practice, the ssh-agent launched by us is actually running. If you prefer that only one ssh-agent running at a time. You could optionally disable the system ssh-agent for current user.
|
Thanks for your post Tim! Is it any disadvantages to disable the system ssh-agent for the current user? Would it work to just to do so in order to fix this issue? It should reduced the fix to just one command which isn't dependent on Do you still have this issue @lukaskuzmiak and care to test it out? |
I thought it was, but placing the plist in As your setup works just fine I could make another assumption. My machines (a mac and a hackintosh) both installed ssh-askpass after upgraded to Mojave (from 10.13.x directly to 10.14.1), surely you installed before. 😄 Could that make any difference? That Mojave behave differently with the precedence. |
For what it's worth, yesterday I got a new clean Mojave installation, and for me it was sufficient to copy the file to One caveat: The first time I ran, I got a prompt from the new Security and Privacy system, asking if I would allow ssh-askpass binary to access SystemEvents (or whatever it was, don't have that computer in front of me ATM). If I pressed No, it would not allow it to use AppleScript/prompts, and ssh would say something like |
I clean installed Mojave and I still get the race condition described
above = S
I mean, all race conditions are weird but intermittent race conditions
are way worse = )
|
On Mon, 2019-01-07 at 19:37:22 -0800, Tim Zhang wrote:
I thought it was, but placing the plist in `~/Library/LaunchAgents` just not work with or without system agent. After disabled system agent, KeepassXC will not detect ssh-agent started by us, either.
But removing it from ~/Library/LaunchAgents, putting it in
/Library/LaunchAgents and disabling the build in ssh-agent still works
for you now? If so, great! Let's just hope that OP get a chance to test
this workaround. I'm AFK sadly.
As your setup works just fine I could make another assumption. My machines (a mac and a hackintosh) both installed ssh-askpass *after* upgraded to Mojave (10.14.1), surely you installed *before*. 😄 Could that make any difference? That Mojave behave differently with the precedence.
Our co-worker which also clean installed and installed after has no
problem either...
|
thank you! |
I can confirm that this works (for me). Cool! Finally something that works deterministically!
Did you get this working @ttimasdf? Sounds like KeepassXC just uses the |
Haha, it didn't work after reboot... |
worked for me |
Did you have an intermittent problem or always failure?
Does it still work after reboot?
…On Fri, 2019-07-05 at 20:37:38 -0700, arunkant wrote:
> brew services stop ssh-askpass
> sudo cp /usr/local/opt/ssh-askpass/homebrew.mxcl.ssh-askpass.plist /Library/LaunchAgents
worked for me
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#23 (comment)
|
It was failing every time, although I only tested it 4-5 times. |
Since this issue is still open, I'll post an update. It appears that a recent security update to Mojave "fixed" the race condition. And by fixed, I mean broke it for me...
then restarted the ssh-agent and everything worked again. I expect it will work without a logoff/login now too. |
I can confirm that it does work without logoff/login. Thanks Apple for fixing it and a very big Thank you! to @petiepooo for your persistance in trying to solve the problem! |
It seems macOS 10.14 broke the custom plist loading. I compared 10.13.6 on a different device with fresh install of 10.14 and found that while launchctl prioritizes
~/Library/LaunchAgents/ssh-askpass.plist
on 10.13.6, on 10.14 it loads the/System/Library/LaunchAgents/com.openssh.ssh-agent.plist
plist first (this happens on-demand with first process trying to talk to the agent rather than on-login, which seems to be a consistent behavior to 10.13.6). This then looks like:And obviously
ssh-askpass
is never invoked cause of the missing environment variable(s).The only (ugly) workaround I found is to reboot into recovery,
csrutil disable
, edit/System/Library/LaunchAgents/com.openssh.ssh-agent.plist
and add the environment variables there, back to recovery,csrutil enable
.I tried playing around with
launchctl disable
orlaunchctl remove
to get rid of thesystem/com.openssh.ssh-agent
but unsuccessfully.Does anybody have some insight into why this worked on 10.13.6 and if this is really a change of behavior in 10.14 and how
launchctl
loads stuff?The text was updated successfully, but these errors were encountered: