Ask Your Question
1

GNOME Keyring isn't automatically loading/unlocking my SSH keys

asked 2015-07-29 17:23:54 -0600

terrycloth gravatar image

updated 2016-07-20 02:38:48 -0600

I'd like to have my SSH keys automatically loaded and ready to go when I log into my desktop. That's what the GNOME Keyring is supposed to do, right?

I'm on a recent installation of Fedora 22 x64.

I can confirm that the GNOME Keyring is running.

$ ps aux | grep -i keyring

terrycl+ 3087 0.0 0.1 407552 9300 ? SLl 14:15 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login

And GNOME Keyring as set a value for the $SSH_AUTH_SOCK environment variable: /run/user/1000/keyring/ssh which I believe is the expected value here. But it has not added any of the keys to the GNOME Keyring SSH agent.

$ ssh-add -l

The agent has no identities.

And manually adding a key fails.

$ ssh-add ~/.ssh/id_ecdsa

Enter passphrase for ~/.ssh/id_ecdsa: Could not add identity "~/.ssh/id_ecdsa": communication with agent failed

The only work around I've found is to run

eval `ssh-agent -s` or ssh-agent bash

which allows me to manually add my SSH keys again. But then I have to restart the ssh agent and readd the ssh keys every session, and I still can't use my key to do SFTP with Nautilus.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
2

answered 2015-09-17 05:24:15 -0600

terrycloth gravatar image

I figured out the problem. My SSH key was generated using the Elliptic Curve Digital Signature Algorithm (ECDSA), which GNOME Keyring no longer supports.

When I switched back to an RSA key pair, GNOME Keyring detected my ssh keys again as it should. This article on the Arch wiki suggests that the NIST curves used to generate ECDSA keys (which I had used) may be insecure anyway -- which could be part of why GNOME dropped support for ECDSA keys. Since plain DSA is deprecated, RSA or possibly Ed25519 are probably the best choices for what types of ssh keys to use.

edit flag offensive delete link more

Comments

Unless you recompile Firefox, Chrome, OpenSSL, GnuTLS, Java, OpenSSH and NSS (among others) to remove support for elliptic curve cryptography, not using NIST curves for SSH won't help you much...

hkario gravatar imagehkario ( 2016-04-11 09:31:46 -0600 )edit
0

answered 2015-08-04 08:31:16 -0600

baggypants gravatar image

Are you running with Gnome-wayland? It might be this https://bugzilla.gnome.org/show_bug.c...

edit flag offensive delete link more

Comments

No, I'm using GNOME with the default display server, which I believe is still X11.

terrycloth gravatar imageterrycloth ( 2015-08-07 15:42:03 -0600 )edit

Question Tools

1 follower

Stats

Asked: 2015-07-29 17:20:31 -0600

Seen: 8,527 times

Last updated: Jul 20 '16