Ask Your Question
1

How do I get proper ssh-agent functionality in GNOME?

asked 2016-08-11 17:24:55 -0600

mwilck gravatar image

updated 2016-08-12 09:20:17 -0600

Problem: When I try to run ssh-add under GNOME, it fails with the error message

Could not add identity "$HOME/.ssh/id_ecdsa": communication with agent failed

Background: GNOME uses gnome-keyring-daemon to provide ssh-agent functionality, but gnome-keyring-daemon is not a fully functional replacement for ssh-agent. Most importantly, it doesn't support elliptic curve keys; this has been known for five years. Another bug summarizes some of other deficiencies of gnome keyring. A similar problem used to exist for gnome-keyring-daemons GPG agent functionality, which has been settled by disabling GPG in GNOME keyring.

(Note: I am not saying that the GNOME keyring daemon is bad, it's just not as feature-complete as some of the stuff it is trying to replace.)

To enable full ssh functionality, the ssh component of gnome-keyring-daemon must be replaced by the genuine ssh-agent. The following instructions demonstrate how that can be done on Fedora 24; the procedure should work on other recent Fedora releases, too. The procedure below does not disable or harm other functionality of GNOME keyring.

Disabling the ssh component of gnome-keyring-daemon

Fedora contains desktop files for the various components of GNOME keyring. Disable the ssh component by copying it to the personal configuration directory and disabling autostart for it:

cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
echo "X-GNOME-Autostart-enabled=false" >>~/.config/autostart/gnome-keyring-ssh.desktop

If you want to do that for all users, edit /etc/xdg/autostart/gnome-keyring-ssh.desktop in place. (You can try to disable this autostart component using gnome-tweak-tool instead, but it didn't work for me).

Enabling pam_ssh

The pam_ssh package provides the functionality to start user sessions under ssh-agent. Again, manual editing of PAM configuration files is required. It would make sense to put pam_ssh in the common "postlogin" file but that file might be overwritten by authconfig, which unfortunately has no pam_ssh support as of 2016. Therefore here is a small shell code that adds pam_ssh wherever postlogin is referenced:

# Backup the contents of /etc/pam.d before running this!!
# Before leaving the root session running this script, verify that you can still log in !!
cat >/tmp/pam_ssh.sed <<EOF
/session *include *postlogin/i\
session     optional      pam_ssh.so
/auth *include *postlogin/i\
auth        optional      pam_ssh.so use_first_pass keyfiles=id_ecdsa,id_dsa,id_rsa,identity
EOF
for x in /etc/pam.d/*; do 
    [[ -L "$x" ]] && continue
    sed -i -f /tmp/pam_ssh.sed "$x"
done

If you have SELinux enabled in enforcing mode, you will have to add a custom policy module to make everything wor. Create a file called pam_ssh.te with the following content:

module pam_ssh 1.0;
require {
    type ssh_agent_exec_t;
    type unconfined_t;
    class file { entrypoint };
}
#============= unconfined_t ==============
allow unconfined_t ssh_agent_exec_t:file entrypoint;

Then compile and load the policy module (requires policycoreutils-devel to be installed):

make -f  /usr/share/selinux/devel/Makefile
semodule -i pam_ssh.pp

Depending on your system configuration, more SELinux tweaking may be necessary. I recommend to test in permissive mode first (setenforce 0) and to run audit2allow -b to generate a suitable policy module.

I admit that this ... (more)

edit retag flag offensive close merge delete

Comments

Please try to create that directory and then proceed as described.

mwilck gravatar imagemwilck ( 2016-09-09 06:18:23 -0600 )edit

Since introduction of authconfig's postlogin hook, it seems to place the generated file in /etc/pam.d/postlogin-ac, and /etc/pam.d/postlogin is just a symlink to that file. Is there a reason you don't want to just remove that symlink, and create own postlogin that'll load pam_ssh and include postlogin-ac, instead of doing sed hackery above?

m132 gravatar imagem132 ( 2018-04-07 11:13:45 -0600 )edit

As @m132 said pam can be setup easier. Copy /etc/pam.d/postlogin-ac to /etc/pam.d/postlogin add file ssh-agent with contents session optional pam_ssh.so auth optional pam_ssh.so use_first_pass keyfiles=id_ed25519,id_ecdsa,id_dsa,id_rsa,identity and add lines session include ssh-agent auth include ssh-agent to /etc/pam.d/postlogin.

Maage gravatar imageMaage ( 2018-10-11 13:28:59 -0600 )edit

2 Answers

Sort by ยป oldest newest most voted
1

answered 2016-08-12 04:24:03 -0600

mwilck gravatar image

This is a pseudo-answer - my original posting already contains the solution.

edit flag offensive delete link more
0

answered 2016-09-09 06:16:35 -0600

mwilck gravatar image

See this page for an alternative approach to the same problem using a systemd user session.

edit flag offensive delete link more

Comments

Thank you for this excellent post. I learned today that Wayland required GSM_SKIP_SSH_AGENT_WORKAROUND="true" to be set or it overwrites SSH_AUTH_SOCK. The following modification to your systemd solution works well:

ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=${SSH_AUTH_SOCK} GSM_SKIP_SSH_AGENT_WORKAROUND="true"

(see: https://git.gnome.org/browse/gnome-se... )

erreu gravatar imageerreu ( 2017-04-20 18:38:25 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-08-11 17:24:55 -0600

Seen: 5,136 times

Last updated: Sep 09 '16