You are not logged in.

#76 2016-02-09 12:23:30

The Good Doctor
From: Planet of the @pes
Registered: 2015-09-30
Posts: 695

Re: initializing gnome-keyring-daemon in autostart

I intend to report here on a series of tests I am running on ssh, ssh-agent, gpg , gpg-agent and gnome-keyring-daemon.

For starters I am setting up an ssh connection to a server using public key authentication.

I used this ubuntu wiki entry as a guideline.

I will be connecting from a portable PC (hostname 'medion') to another portable PC (hostname 'a1711'  Acer 1711SMi, a 17 inch dinosaur desktop repacement PC weighing in at some 7 kilos or so). Both PC's are connected with an ethernet crossover cable.
Network interfaces are configured 'manually' using NetworkManager.
Hostnames are set in /etc/hosts:

on medion:
/etc/hosts    a1711
me@medion:~$ ip r
default via dev wlan0  proto static  metric 1024 dev wlan0  proto kernel  scope link  src dev eth0  proto kernel  scope link  src 

Follow the wiki entry to set things up.
Do use a passphrase to protect your private key, otherwise your private key will not be encrypted.

Now I am able to connect to the server using public key authentication.
But I still have to enter the passphrase - to unlock your private key - every  time I connect to the server.

Enter 'ssh-add' to solve that problem:

me@medion:~/.ssh$ ssh-add
Enter passphrase for /home/me/.ssh/id_rsa: 
Identity added: /home/me/.ssh/id_rsa (/home/me/.ssh/id_rsa)

How does it work?
ssh-add talks to ssh-agent - which is listening on the socket pointed to by SSH_AGENT_SOCK - which stores the passphrase in a safe way.
Next time you try to ssh to the server, ssh talks to ssh-agent (again using the socket from above) which supplies the cached passphrase and ssh moves on.

No user intervention is needed to ssh into your server during the time period where ssh-agent caches your passphrase. This 'grace period' can be configured with the -t parameter for ssh-agent. Defaults to forever.
And you can run scripts on the client that connect to the server without user intervention.

me@medion:~/.ssh$ ssh me@a1711
Warning: Permanently added 'a1711,' (ECDSA) to the list of known hosts.

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb  9 12:09:33 2016 from

Should you want to disable the banner that is shown every time you log in to the server, then, on the server:

me@a1711:~$ sudo sed -i '/^/#/' /etc/pam.d/sshd

Log out and ssh into  the server again:

me@medion:~/.ssh$ ssh me@a1711
Warning: Permanently added 'a1711,' (ECDSA) to the list of known hosts.
Last login: Tue Feb  9 12:29:33 2016 from

What if you don't want ssh-agent to cache your passphrase?
You want gnome-keyring to do the caching for you?

export $(gnome-keyring-daemon --start --components=ssh)

You now get password entry screen. Enter your user password.
You get another password entry screen. Enter your passphrase protecting your private key.
You will get your prompt back.
You are not logged into the server yet.
Connect to the server again and you will be logged into the server automatically.

When you are presented with the password entry screen, do not switch windows or switch desktop. You will not be able to switch back to the password entry screen, because that password entry screen has grabbed your keyboard. The only way to get out of this is to switch to a Virtual Console, stop X (sudo systemctl isolate and restart X (sudo systemctl isolate

The system is now in a state where both ssh-agent and gnome-keyring are caching the passphrase. But only one of those is active at any one time. Which one can be seen by running

env|grep -i ssh

if you get

me@medion:~/tmp/today$ env | grep -i ssh

then ssh-agent will provide the cached passphrase,
if you get


then gnome-keyring will provide the cached passphrase.
It is the value of SSH_AGENT_SOCK that makes the difference.

You can switch from gnome-keyring providing the passphrase to ss-agent doing it by

eval $(ssh-agent)

Which proves that it is the setting of SSH_AGENT_SOCK that controls which application is providing the passphrase.

These tests were performed on a bunsenlabs RC2 instance installed to a btrfs subvolume.
So with
- ssh installed
- ssh-agent enabled
- no gpg
- $HOME/.config/openbox/environment set to

## GNOME Keyring
# WARNING: interpreter is dash!
export $(gnome-keyring-daemon --start --components=pkcs11,secrets)


#77 2016-02-10 07:57:06

From: Nagoya, Japan
Registered: 2015-09-09
Posts: 6,789

Re: initializing gnome-keyring-daemon in autostart

^Thank you. This makes life simpler.

...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop


Board footer

Powered by FluxBB