Automatically load ssh passphrases from keychain

Manticore · 30 November 2021 11:45

Hello!

I’m struggling a bit to get the following to work on XFCE, I just installed Manjaro. Im coming from Suse with Plasma.

I have over a dozen ssh keys with long, random passphrases (mandatory work/customer requirements). On KDE it was easy to add them to a default wallet, which got unlocked when I logged in and an autoscript ran adding all the passphrases to an ssh-agent. Your how-to in the Plasma forums describes the same thing.

However, with XFCE Im not sure if I can accomplish the same thing. I have gnome keyring and I am reading different articles (yours and arch wiki) but I can’t get it to work.

Can someone help me out here, what is a good way to make this work on manjaro with xfce?

Thanks for the help!

mithrial · 30 November 2021 12:11

In the XFCE settings, there are two checkmarks to select that the Gnome- and/or KDE environment should also be loaded.

Then, you could use gnome-keyring or kwalletd to setup your keys.

Manticore · 30 November 2021 20:50

Yes, I did that for Gnome.

I installed gnome-keyring and seahorse.

I also created a --user service with the following content:

[Unit]
Description=SSH key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
# DISPLAY required for ssh-askpass to work
Environment=DISPLAY=:0
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target

In bash_profile I added the following line:

export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"

In ‘Session and Startup’, below ‘Application Autostart’, there are a few lines mentioning “GNOME Keyring”. Tick those to start them at login.

Everything now works, however …

The popup I get for a key for which a passphrase hasn’t been entered yet comes from /usr/lib/gcr-ssh-askpass. This popup blocks all other windows (no alt-tabbing to password manager for copy/paste). It blocks the entire X-session and limits to only input on the popup window. I hate that. This the only thing I would still like to change but other than that, it works, key passphrases are automatically loaded from the keyring once they have been provided.

Thanks!

mithrial · 30 November 2021 22:16

Is gnome-keyring running? I’m not that familiar with XFCE anymore.
There are autostart files to start the gnome-keyring-daemon which sets all required environment variables.

You can try first by killing all your ssh-agent instances and unsetting all related environment variables and then start gnome-keyring-daemon --start --daemonize.
When you then use a ssh key, it should prompt for the passphrase using their own askpass program which has the option to “save the passphrase”.

I also remember that I had to modify files in /etc/pam.d so that gnome-keyring is started automatically but that may not be valid anymore, a specific issue on my system or not relevant for XFCE.

Manticore · 1 December 2021 08:01

Yes, gnome keyring is running.

Start gnome components is ticket. I see the following processes running:

$ ps -ef | grep -i gnome
myuser     1617       1  0 07:46 ?        00:00:00 /usr/bin/gnome-keyring-daemon --daemonize --login
myuser     1664    1606  0 07:46 ?        00:00:01 /usr/lib/at-spi2-registryd --use-gnome-session
myuser     1764    1620  0 07:46 ?        00:00:00 /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1
myuser     2033    1606  0 07:47 ?        00:00:00 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets

In Seahorse I do see a few passphrases stored for ssh keys that I have entered.

There are 2 things left to do as far as Im concerned:

use a different ssh_askpass binary, one that doesn’t block alt-tab and copy/paste.
Load all ssh key passphrases from the keyring into the running ssh-agent at login.

PS. for some reason I broke ssh_askpass, its only prompting on the cli now

Manticore · 1 December 2021 14:30

Everything is working! I had to remove the SSH_ASKPASS environment variable. Gnome keyring daemon and its processes handle everything.

My only gripe is that the popup window blocks my entire session. But if I place my passphrase in the clipboard before ssh’ing into a host, I can paste it and tick the box to remember it.

From that moment on all passphrases are automatically loaded from the keyring provided that 1) the keyring is unlocked and 2) a passphrase exists for the key.

system · 4 December 2021 04:31

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.