Load SSH keys on Xfce login with keychain / ssh-agent

On my workstation i want my SSH keys to be loaded and unlocked on login to XFCE. This seemed like a job for some keyring daemon like gnome-keyring but it’s not that easy…

GNOME-Keyring automatically adds all existing SSH RSA (and DSA) keys but does not support ECDSA (which i’m not using) and ed25519 keys (which i’m using when possible) and there is a bug report open for some years now for gnome-keyring.

Finding a way to disable GNOME-Keyring for ssh (and gpg) but keep it for the other stuff took some time. I figured i’d be best off to use the OpenSSH ssh-agent with ssh-askpass and for convenience keychain (keychain) to make the loaded keys easily available on all logins.

  • Disable gnome-keyring for ssh and gpg keys
    Copy the autostart files /etc/xdg/autostart/gnome-keyring-ssh.desktop and /etc/xdg/autostart/gnome-keyring-gpg.desktop to ~/.config/autostart/ and add the line X-GNOME-Autostart-enabled=false to both files.
    This is mentioned in Comment 22 from the Gnome-Keyring bug report which i first found here.
  • Autostart keychain and manage ssh-agent and gpg-agent on Xfce login. Create the files:
    ~./config/autostart/keychain-ssh.desktop

    [Desktop Entry]
    Type=Application
    Name=SSH Key Agent (keychain)
    Exec=/usr/bin/keychain --quiet --agents ssh
    X-XFCE-Autostart-Override=true

    ~./config/autostart/keychain-gpg.desktop

    [Desktop Entry]
    Type=Application
    Name=GPG Key Agent (keychain)
    Exec=/usr/bin/keychain --quiet --agents gpg
    X-XFCE-Autostart-Override=true
  • Import SSH keys on login
    Using keychain to import the existing SSH keys during login i created a new Application Autostart item in Settings -> Settings manager -> Session and startup. This startup item starts keychain and imports the listed ssh keys.

    /usr/bin/keychain --eval --quiet $key1 $key2 $key3 ...

    Needed ssh and gpg agents are started by keychain or running ones are reused. Encrypted SSH keys need to be unlocked with a passphrase when loaded or they aren’t loaded.
    The password prompt is provided by ssh-askpass (i installed ssh-askpass-gnome which is nicer) and displayed directly after login to Xfce.
    Both keychain and ssh-add use ssh-askpass when the environment variable SSH_ASKPASS is set. I set SSH_ASKPASS in ~/.xsessionrc and it’s being used during login.

  • Reuse ssh- and gpg-agents
    Keychain makes it very easy to reuse existing ssh and gpg agents by providing/setting the needed environment variables on subsequent logins or scripts run by e.g. cron.
    To reuse an already running ssh-agent on subsequent login add eval $(keychain --eval --quiet) to .bashrc and keychain will setup the needed variables.
    To reuse an already running ssh-agent within scripts source the files ~/.keychain/$HOSTNAME-sh (for ssh-agent) or ~/.keychain/$HOSTNAME-sh-gpg (for gpg-agent) to setup the needed variables.

Leave a Comment