Load SSH keys on Xfce login with keychain / ssh-agent

On my workstation i want my SSH keys to be loaded and unlocked on login to XFCE. This seemed like a job for some keyring daemon like gnome-keyring but it’s not that easy…

GNOME-Keyring automatically adds all existing SSH RSA (and DSA) keys but does not support ECDSA (which i’m not using) and ed25519 keys (which i’m using when possible) and there is a bug report open for some years now for gnome-keyring.

Finding a way to disable GNOME-Keyring for ssh (and gpg) but keep it for the other stuff took some time. I figured i’d be best off to use the OpenSSH ssh-agent with ssh-askpass and for convenience keychain (keychain) to make the loaded keys easily available on all logins.

  • Disable gnome-keyring for ssh and gpg keys
    Copy the autostart files /etc/xdg/autostart/gnome-keyring-ssh.desktop and /etc/xdg/autostart/gnome-keyring-gpg.desktop to ~/.config/autostart/ and add the line X-GNOME-Autostart-enabled=false to both files.
    This is mentioned in Comment 22 from the Gnome-Keyring bug report which i first found here.
  • Autostart keychain and manage ssh-agent and gpg-agent on Xfce login. Create the files:
    ~./config/autostart/keychain-ssh.desktop

    [Desktop Entry]
    Type=Application
    Name=SSH Key Agent (keychain)
    Exec=/usr/bin/keychain --quiet --agents ssh
    X-XFCE-Autostart-Override=true

    ~./config/autostart/keychain-gpg.desktop

    [Desktop Entry]
    Type=Application
    Name=GPG Key Agent (keychain)
    Exec=/usr/bin/keychain --quiet --agents gpg
    X-XFCE-Autostart-Override=true
  • Import SSH keys on login
    Using keychain to import the existing SSH keys during login i created a new Application Autostart item in Settings -> Settings manager -> Session and startup. This startup item starts keychain and imports the listed ssh keys.

    /usr/bin/keychain --eval --quiet $key1 $key2 $key3 ...

    Needed ssh and gpg agents are started by keychain or running ones are reused. Encrypted SSH keys need to be unlocked with a passphrase when loaded or they aren’t loaded.
    The password prompt is provided by ssh-askpass (i installed ssh-askpass-gnome which is nicer) and displayed directly after login to Xfce.
    Both keychain and ssh-add use ssh-askpass when the environment variable SSH_ASKPASS is set. I set SSH_ASKPASS in ~/.xsessionrc and it’s being used during login.

  • Reuse ssh- and gpg-agents
    Keychain makes it very easy to reuse existing ssh and gpg agents by providing/setting the needed environment variables on subsequent logins or scripts run by e.g. cron.
    To reuse an already running ssh-agent on subsequent login add eval $(keychain --eval --quiet) to .bashrc and keychain will setup the needed variables.
    To reuse an already running ssh-agent within scripts source the files ~/.keychain/$HOSTNAME-sh (for ssh-agent) or ~/.keychain/$HOSTNAME-sh-gpg (for gpg-agent) to setup the needed variables.

2 thoughts on “Load SSH keys on Xfce login with keychain / ssh-agent”

  1. What about when your keys are password protected. This section won’t work because an interactive prompt would ask for the password of each supplied key.

    Import SSH keys on login
    Using keychain to import the existing SSH keys during login i created a new Application Autostart item in Settings -> Settings manager -> Session and startup. This startup item starts keychain and imports the listed ssh keys.

    /usr/bin/keychain –eval –quiet $key1 $key2 $key3 …

    Thanks for any hints in advance!

    But maybe I’m missing something.

    Reply
  2. Well, I shoul have read more carfully. You talk about using ssh-askpass. That should solve it. Thanks for this tutorial!

    Reply

Leave a Comment