English
Ask Your Question
1

How do I get proper ssh-agent functionality in GNOME?

asked 2016-08-11 22:24:55 +0000

mwilck gravatar image

updated 2016-08-12 14:20:17 +0000

Problem: When I try to run ssh-add under GNOME, it fails with the error message

Could not add identity "$HOME/.ssh/id_ecdsa": communication with agent failed

Background: GNOME uses gnome-keyring-daemon to provide ssh-agent functionality, but gnome-keyring-daemon is not a fully functional replacement for ssh-agent. Most importantly, it doesn't support elliptic curve keys; this has been known for five years. Another bug summarizes some of other deficiencies of gnome keyring. A similar problem used to exist for gnome-keyring-daemons GPG agent functionality, which has been settled by disabling GPG in GNOME keyring.

(Note: I am not saying that the GNOME keyring daemon is bad, it's just not as feature-complete as some of the stuff it is trying to replace.)

To enable full ssh functionality, the ssh component of gnome-keyring-daemon must be replaced by the genuine ssh-agent. The following instructions demonstrate how that can be done on Fedora 24; the procedure should work on other recent Fedora releases, too. The procedure below does not disable or harm other functionality of GNOME keyring.

Disabling the ssh component of gnome-keyring-daemon

Fedora contains desktop files for the various components of GNOME keyring. Disable the ssh component by copying it to the personal configuration directory and disabling autostart for it:

cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
echo "X-GNOME-Autostart-enabled=false" >>~/.config/autostart/gnome-keyring-ssh.desktop

If you want to do that for all users, edit /etc/xdg/autostart/gnome-keyring-ssh.desktop in place. (You can try to disable this autostart component using gnome-tweak-tool instead, but it didn't work for me).

Enabling pam_ssh

The pam_ssh package provides the functionality to start user sessions under ssh-agent. Again, manual editing of PAM configuration files is required. It would make sense to put pam_ssh in the common "postlogin" file but that file might be overwritten by authconfig, which unfortunately has no pam_ssh support as of 2016. Therefore here is a small shell code that adds pam_ssh wherever postlogin is referenced:

# Backup the contents of /etc/pam.d before running this!!
# Before leaving the root session running this script, verify that you can still log in !!
cat >/tmp/pam_ssh.sed <<EOF
/session *include *postlogin/i\
session     optional      pam_ssh.so
/auth *include *postlogin/i\
auth        optional      pam_ssh.so use_first_pass keyfiles=id_ecdsa,id_dsa,id_rsa,identity
EOF
for x in /etc/pam.d/*; do 
    [[ -L "$x" ]] && continue
    sed -i -f /tmp/pam_ssh.sed "$x"
done

If you have SELinux enabled in enforcing mode, you will have to add a custom policy module to make everything wor. Create a file called pam_ssh.te with the following content:

module pam_ssh 1.0;
require {
    type ssh_agent_exec_t;
    type unconfined_t;
    class file { entrypoint };
}
#============= unconfined_t ==============
allow unconfined_t ssh_agent_exec_t:file entrypoint;

Then compile and load the policy module (requires policycoreutils-devel to be installed):

make -f  /usr/share/selinux/devel/Makefile
semodule -i pam_ssh.pp

Depending on your system configuration, more SELinux tweaking may be necessary. I recommend to test in permissive mode first (setenforce 0) and to run audit2allow -b to generate a suitable policy module.

I admit that this ... (more)

edit retag flag offensive close merge delete

Comments

This does not work in Fedora 24; there is no ~/.config/autostart directory.

l0b0 ( 2016-08-23 12:29:26 +0000 )edit

Please try to create that directory and then proceed as described.

mwilck ( 2016-09-09 11:18:23 +0000 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2016-08-12 09:24:03 +0000

mwilck gravatar image

This is a pseudo-answer - my original posting already contains the solution.

edit flag offensive delete link more
0

answered 2016-09-09 11:16:35 +0000

mwilck gravatar image

See this page for an alternative approach to the same problem using a systemd user session.

edit flag offensive delete link more

Comments

Thank you for this excellent post. I learned today that Wayland required GSM_SKIP_SSH_AGENT_WORKAROUND="true" to be set or it overwrites SSH_AUTH_SOCK. The following modification to your systemd solution works well:

ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=${SSH_AUTH_SOCK} GSM_SKIP_SSH_AGENT_WORKAROUND="true"

(see: https://git.gnome.org/browse/gnome-se... )

erreu ( 2017-04-20 23:38:25 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Use your votes!

  • Use the 30 daily voting points that you get!
  • Up-vote well framed questions that provide enough information to enable people provide answers.
  • Thank your helpers by up-voting their comments and answers. If a question you asked has been answered, accept the best answer by clicking on the checkbox on the left side of the answer.
  • Down-voting might cost you karma, but you should consider doing so for incorrect or clearly detrimental questions and answers.

Question Tools

Follow
1 follower

Stats

Asked: 2016-08-11 22:24:55 +0000

Seen: 1,528 times

Last updated: Sep 09 '16