Ask Your Question
5

Is it possible to replace gnome-keyring-daemon with ssh-agent?

asked 2012-10-16 11:58:13 -0500

larsks gravatar image

updated 2012-10-16 11:59:51 -0500

I need to start using signed ssh keys (e.g., http://goo.gl/dTycu). The gnome-keyring-daemon doesn't seem to know how to store the certificates...

Enter passphrase for /home/lars/.ssh/id_rsa: 
Identity added: /home/lars/.ssh/id_rsa (/home/lars/.ssh/id_rsa)
Error reading response length from authentication socket.

...so it's not going to be terribly useful. I'm happy to keep using it for other purposes, but I need to use the real ssh-agent for ssh. There are obviously some hacky ways of solving this but I'm hoping to link ssh-agent (back) into the X session startup machinery.

In the old days, the entire X session was run under ssh-agent. Is it possible to restore this behavior?

edit retag flag offensive close merge delete

Comments

The (shortened) URL has gone offline, here's a link to the archive.

ckujau gravatar imageckujau ( 2015-01-13 23:12:52 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
3

answered 2012-10-17 19:20:15 -0500

larsks gravatar image

It turned out to be easier than I expected. First, some background:

When you log into gdm, it starts up your X session by running /etc/gdm/Xsession, which is a symlink to /etc/X11/xinit/Xsession. This is a shell script that receives a single parameter from the display manager -- for Gnome, this is gnome-session. There's an ugly case statement in this script that figures out the next step based on the display manager in use; for Gnome, it ends up doing this:

    gnome|gnome-session)
        # lack of SSH_AGENT is intentional, see #441123.  though
        # the whole thing should really happen in xinitrc.d anyway.
        exec -l $SHELL -c gnome-session
        exec /bin/sh -c "exec -l $SHELL -c \"gnome-session\"" 
        ;;

I thought at first I was going to have to modify this script, which would have been an ugly hack -- future package updates would probably revert my changes. Fortunately, earlier on in the script is this snippet of code:

XCLIENTS_D=/etc/X11/xinit/Xclients.d
if [ "$#" -eq 1 ] && [ -x "$XCLIENTS_D/Xclients.$1.sh" ]; then
    exec -l $SHELL -c "$CK_XINIT_SESSION $SSH_AGENT $XCLIENTS_D/Xclients.$1.sh"
else

This looks in /etc/X11/xinit/Xclientds.d for a display-manager specific Xclients script, and runs that instead of the case statement if one is available. So I created `/etc/X11/xinit/Xclients.d/Xclients.gnome-session.sh with the following contents:

#!/bin/sh
exec -l $SHELL -c "$SSH_AGENT gnome-session"

This takes advantage of the SSH_AGENT variable set earlier by xinitrc-common. This gets me a session running under ssh-agent, which is just what I wanted.

There was another problem, however: files in /etc/xdg/autostart were still starting up the gnome-keyring-daemon agent. It's possible to modify or remove these files, but since they're not marked as configuration files in the gnome-keyring package they'll come back to haunt me in the event this packages gets updated.

So for the time being, I've wielded the Hammer of Chmod:

chmod 0 /usr/bin/gnome-keyring-daemon

It's not pretty, but it gets me what I want: the ability to load SSH certificates in my desktop environment.

edit flag offensive delete link more
0

answered 2014-05-21 12:49:08 -0500

gladiatr72 gravatar image

Hey there. Nice summary. My vision blurred a bit before making it to the bits regarding shoving script in the Xclients.d directory. I just kept an eye on updates and repaired the um... undamage :)

As an additional piece for those that might land here:

If, like me, you don't mind the keyring daemon managing GPG keys, one way to address the.. persistence of the keyring daemon is to reroll the RPM without ssh-agent support.

(for F20) curl -O https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Fedora/source/SRPMS/g/gnome-keyring-3.10.1-1.fc20.src.rpm

--- gnome-keyring.spec.dist 2014-05-21 09:57:58.882732710 -0500
+++ gnome-keyring.spec  2014-05-21 09:41:09.007792479 -0500
@@ -57,6 +57,7 @@

 %build
 %configure \
+   --disable-ssh-agent \
    --with-pam-dir=%{_libdir}/security \
    --enable-pam

I also set Release: 1%{?dist} to Release: 50%{%?dist} to prevent it from being stomped on unless there is an actual update to the package.

Rebuild the rpm (rpmbuild -bb gnome-keyring.spec)

yum update ~/rpmbuild/RPMS/x86_64/gnome-keyring*

With the script in the location referred to above this will give you back ssh-agent as well as maintaining the login cred. + gnupg key maintenance that gnome-keyring provides.

edit flag offensive delete link more

Question Tools

Stats

Asked: 2012-10-16 11:58:13 -0500

Seen: 4,500 times

Last updated: May 21 '14