On my workstation i want my SSH keys to be loaded and unlocked on login to XFCE. This seemed like a job for some keyring daemon like gnome-keyring but it’s not that easy…
GNOME-Keyring automatically adds all existing SSH RSA (and DSA) keys but does not support ECDSA (which i’m not using) and ed25519 keys (which i’m using when possible) and there is a bug report open for some years now for gnome-keyring.
Finding a way to disable GNOME-Keyring for ssh (and gpg) but keep it for the other stuff took some time. I figured i’d be best off to use the OpenSSH
and for convenience
(keychain) to make the loaded keys easily available on all logins.
- Disable gnome-keyring for ssh and gpg keys
Copy the autostart files
and add the line X-GNOME-Autostart-enabled=false to both files.
This is mentioned in Comment 22 from the Gnome-Keyring bug report which i first found here.
- Autostart keychain and manage ssh-agent and gpg-agent on Xfce login. Create the files:
[Desktop Entry] Type=Application Name=SSH Key Agent (keychain) Exec=/usr/bin/keychain --quiet --agents ssh X-XFCE-Autostart-Override=true
[Desktop Entry] Type=Application Name=GPG Key Agent (keychain) Exec=/usr/bin/keychain --quiet --agents gpg X-XFCE-Autostart-Override=true
- Import SSH keys on login
to import the existing SSH keys during login i created a new Application Autostart item in Settings -> Settings manager -> Session and startup. This startup item starts keychain and imports the listed ssh keys.
/usr/bin/keychain --eval --quiet $key1 $key2 $key3 ...
Needed ssh and gpg agents are started by keychain or running ones are reused. Encrypted SSH keys need to be unlocked with a passphrase when loaded or they aren’t loaded.
The password prompt is provided by
which is nicer) and displayed directly after login to Xfce.
ssh-askpasswhen the environment variable
is set. I set SSH_ASKPASS in
and it’s being used during login.
- Reuse ssh- and gpg-agents
Keychain makes it very easy to reuse existing ssh and gpg agents by providing/setting the needed environment variables on subsequent logins or scripts run by e.g. cron.
To reuse an already running ssh-agent on subsequent login add
eval $(keychain --eval --quiet)
will setup the needed variables.
To reuse an already running ssh-agent within scripts source the files
(for ssh-agent) or
(for gpg-agent) to setup the needed variables.