You are not logged in.

#76 2016-02-09 12:23:30

xaos52
The Good Doctor
From: Planet of the @pes
Registered: 2015-09-30
Posts: 695

Re: initializing gnome-keyring-daemon in autostart

I intend to report here on a series of tests I am running on ssh, ssh-agent, gpg , gpg-agent and gnome-keyring-daemon.

For starters I am setting up an ssh connection to a server using public key authentication.

I used this ubuntu wiki entry as a guideline.

I will be connecting from a portable PC (hostname 'medion') to another portable PC (hostname 'a1711'  Acer 1711SMi, a 17 inch dinosaur desktop repacement PC weighing in at some 7 kilos or so). Both PC's are connected with an ethernet crossover cable.
Network interfaces are configured 'manually' using NetworkManager.
Hostnames are set in /etc/hosts:

on medion:
/etc/hosts

192.168.1.11    a1711
me@medion:~$ ip r
default via 192.168.0.1 dev wlan0  proto static  metric 1024 
192.168.0.0/24 dev wlan0  proto kernel  scope link  src 192.168.0.240 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.10 

Follow the wiki entry to set things up.
Do use a passphrase to protect your private key, otherwise your private key will not be encrypted.

Now I am able to connect to the server using public key authentication.
But I still have to enter the passphrase - to unlock your private key - every  time I connect to the server.

Enter 'ssh-add' to solve that problem:

me@medion:~/.ssh$ ssh-add
Enter passphrase for /home/me/.ssh/id_rsa: 
Identity added: /home/me/.ssh/id_rsa (/home/me/.ssh/id_rsa)

How does it work?
ssh-add talks to ssh-agent - which is listening on the socket pointed to by SSH_AGENT_SOCK - which stores the passphrase in a safe way.
Next time you try to ssh to the server, ssh talks to ssh-agent (again using the socket from above) which supplies the cached passphrase and ssh moves on.

Result:
No user intervention is needed to ssh into your server during the time period where ssh-agent caches your passphrase. This 'grace period' can be configured with the -t parameter for ssh-agent. Defaults to forever.
And you can run scripts on the client that connect to the server without user intervention.

me@medion:~/.ssh$ ssh me@a1711
Warning: Permanently added 'a1711,192.168.1.11' (ECDSA) to the list of known hosts.

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb  9 12:09:33 2016 from 192.168.1.10

Should you want to disable the banner that is shown every time you log in to the server, then, on the server:

me@a1711:~$ sudo sed -i '/pam_motd.so/s/^/#/' /etc/pam.d/sshd

Log out and ssh into  the server again:

me@medion:~/.ssh$ ssh me@a1711
Warning: Permanently added 'a1711,192.168.1.11' (ECDSA) to the list of known hosts.
Last login: Tue Feb  9 12:29:33 2016 from 192.168.1.10
me@a1711:~$ 

What if you don't want ssh-agent to cache your passphrase?
You want gnome-keyring to do the caching for you?

export $(gnome-keyring-daemon --start --components=ssh)

You now get password entry screen. Enter your user password.
You get another password entry screen. Enter your passphrase protecting your private key.
You will get your prompt back.
You are not logged into the server yet.
Connect to the server again and you will be logged into the server automatically.

!!!WARNING!!!
When you are presented with the password entry screen, do not switch windows or switch desktop. You will not be able to switch back to the password entry screen, because that password entry screen has grabbed your keyboard. The only way to get out of this is to switch to a Virtual Console, stop X (sudo systemctl isolate multi-user.target) and restart X (sudo systemctl isolate graphical.target)

The system is now in a state where both ssh-agent and gnome-keyring are caching the passphrase. But only one of those is active at any one time. Which one can be seen by running

env|grep -i ssh

if you get

me@medion:~/tmp/today$ env | grep -i ssh
SSH_AGENT_PID=1593
SSH_AUTH_SOCK=/tmp/ssh-D8KueWVYCR4R/agent.1567
OLDPWD=/home/me/.ssh

then ssh-agent will provide the cached passphrase,
if you get

SSH_AGENT_PID=777
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh

then gnome-keyring will provide the cached passphrase.
It is the value of SSH_AGENT_SOCK that makes the difference.

You can switch from gnome-keyring providing the passphrase to ss-agent doing it by

eval $(ssh-agent)

Which proves that it is the setting of SSH_AGENT_SOCK that controls which application is providing the passphrase.

NOTE:
These tests were performed on a bunsenlabs RC2 instance installed to a btrfs subvolume.
So with
- ssh installed
- ssh-agent enabled
- no gpg
- $HOME/.config/openbox/environment set to

## GNOME Keyring
# WARNING: interpreter is dash!
export $(gnome-keyring-daemon --start --components=pkcs11,secrets)

Offline

#77 2016-02-10 07:57:06

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 6,789
Website

Re: initializing gnome-keyring-daemon in autostart

^Thank you. This makes life simpler.


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Online

Board footer

Powered by FluxBB