On my workstation i want my SSH keys to be loaded and unlocked on login to XFCE. This seemed like a job for some keyring daemon like gnome-keyring but it’s not that easy…
GNOME-Keyring automatically adds all existing SSH RSA (and DSA) keys but does not support ECDSA (which i’m not using) and ed25519 keys (which i’m using when possible) and there is a bug report open for some years now for gnome-keyring.
Finding a way to disable GNOME-Keyring for ssh (and gpg) but keep it for the other stuff took some time. I figured i’d be best off to use the OpenSSH
and for convenience
(keychain) to make the loaded keys easily available on all logins.
- Disable gnome-keyring for ssh and gpg keys
Copy the autostart files
and add the line X-GNOME-Autostart-enabled=false to both files.
This is mentioned in Comment 22 from the Gnome-Keyring bug report which i first found here.
- Autostart keychain and manage ssh-agent and gpg-agent on Xfce login. Create the files:
[Desktop Entry] Type=Application Name=SSH Key Agent (keychain) Exec=/usr/bin/keychain --quiet --agents ssh X-XFCE-Autostart-Override=true
[Desktop Entry] Type=Application Name=GPG Key Agent (keychain) Exec=/usr/bin/keychain --quiet --agents gpg X-XFCE-Autostart-Override=true
- Import SSH keys on login
to import the existing SSH keys during login i created a new Application Autostart item in Settings -> Settings manager -> Session and startup. This startup item starts keychain and imports the listed ssh keys.
/usr/bin/keychain --eval --quiet $key1 $key2 $key3 ...
Needed ssh and gpg agents are started by keychain or running ones are reused. Encrypted SSH keys need to be unlocked with a passphrase when loaded or they aren’t loaded.
The password prompt is provided by
which is nicer) and displayed directly after login to Xfce.
ssh-askpasswhen the environment variable
is set. I set SSH_ASKPASS in
and it’s being used during login.
- Reuse ssh- and gpg-agents
Keychain makes it very easy to reuse existing ssh and gpg agents by providing/setting the needed environment variables on subsequent logins or scripts run by e.g. cron.
To reuse an already running ssh-agent on subsequent login add
eval $(keychain --eval --quiet)
will setup the needed variables.
To reuse an already running ssh-agent within scripts source the files
(for ssh-agent) or
(for gpg-agent) to setup the needed variables.
2 thoughts on “Load SSH keys on Xfce login with keychain / ssh-agent”
What about when your keys are password protected. This section won’t work because an interactive prompt would ask for the password of each supplied key.
Import SSH keys on login
Using keychain to import the existing SSH keys during login i created a new Application Autostart item in Settings -> Settings manager -> Session and startup. This startup item starts keychain and imports the listed ssh keys.
/usr/bin/keychain –eval –quiet $key1 $key2 $key3 …
Thanks for any hints in advance!
But maybe I’m missing something.
Well, I shoul have read more carfully. You talk about using ssh-askpass. That should solve it. Thanks for this tutorial!