English
Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How do I get proper ssh-agent functionality in GNOME?

Problem: When I try to run ssh-add under GNOME, it fails with the error message

Could not add identity "$HOME/.ssh/id_ecdsa": communication with agent failed

Background: GNOME uses gnome-keyring-daemon to provide ssh-agent functionality, but gnome-keyring-daemon is not a fully functional replacement for ssh-agent. Most importantly, it doesn't support elliptic curve keys; this has been known for five years. Another bug summarizes some of other deficiencies of gnome keyring. A similar problem used to exist for gnome-keyring-daemons GPG agent functionality, which has been settled by disabling GPG in GNOME keyring.

(Note: I am not saying that the GNOME keyring daemon is bad, it's just not as feature-complete as some of the stuff it is trying to replace.)

To enable full ssh functionality, the ssh component of gnome-keyring-daemon must be replaced by the genuine ssh-agent. The following instructions demonstrate how that can be done on Fedora 24; the procedure should work on other recent Fedora releases, too. The procedure below does not disable or harm other functionality of GNOME keyring.

Disabling the ssh component of gnome-keyring-daemon

Fedora contains desktop files for the various components of GNOME keyring. Disable the ssh component by copying it to the personal configuration directory and disabling autostart for it:

cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
echo "X-GNOME-Autostart-enabled=false" >>~/.config/autostart/gnome-keyring-ssh.desktop

If you want to do that for all users, edit /etc/xdg/autostart/gnome-keyring-ssh.desktop in place. (You can try to disable this autostart component using gnome-tweak-tool instead, but it didn't work for me).

In Fedora 24, gnome-keyring-daemon is actually not started via the GNOME/XDG autostart mechanism, but via PAM. This functionality is provided by the package gnome-keyring-pam. The package can't be simply deinstalled without breaking major dependencies. Rather, files in /etc/pam.d need to be hand-edited. Lines containing "pam_gnome_keyring.so auto_start" need to be removed or commented out.

# Backup the contents of /etc/pam.d before running this!!!!
# Before leaving the root session running this script, verify that you can still log in !!
for x in /etc/pam.d/*; do 
    [[ -L "$x" ]] && continue
    sed -i '/pam_gnome_keyring.so *auto_start/s/^/## DISABLED ## /' "$x"
done

Note that this doesn't completely disable the gnome-keyring PAM functionality; just the autostart of the daemon.

Enabling pam_ssh

The pam_ssh package provides the functionality to start user sessions under ssh-agent. Again, manual editing of PAM configuration files is required. It would make sense to put pam_ssh in the common "postlogin" file but that file might be overwritten by authconfig, which unfortunately has no pam_ssh support as of 2016. Therefore here is a small shell code that adds pam_ssh wherever postlogin is referenced:

# Backup the contents of /etc/pam.d before running this!!
# Before leaving the root session running this script, verify that you can still log in !!
cat >/tmp/pam_ssh.sed <<EOF
/session *include *postlogin/i\
session     optional      pam_ssh.so
/auth *include *postlogin/i\
auth        optional      pam_ssh.so use_first_pass keyfiles=id_ecdsa,id_dsa,id_rsa,identity
EOF
for x in /etc/pam.d/*; do 
    [[ -L "$x" ]] && continue
    sed -i -f /tmp/pam_ssh.sed "$x"
done

If you have SELinux enabled in enforcing mode, you will have to add a custom policy module to make everything wor. Create a file called pam_ssh.te with the following content:

module pam_ssh 1.0;
require {
    type ssh_agent_exec_t;
    type unconfined_t;
    class file { entrypoint };
}
#============= unconfined_t ==============
allow unconfined_t ssh_agent_exec_t:file entrypoint;

Then compile and load the policy module (requires policycoreutils-devel to be installed):

make -f  /usr/share/selinux/devel/Makefile
semodule -i pam_ssh.pp

Depending on your system configuration, more SELinux tweaking may be necessary. I recommend to test in permissive mode first (setenforce 0) and to run audit2allow -b to generate a suitable policy module.

I admit that this isn't actually a question because it includes the answer already, yet I thought this was the right place for this post.

How do I get proper ssh-agent functionality in GNOME?

Problem: When I try to run ssh-add under GNOME, it fails with the error message

Could not add identity "$HOME/.ssh/id_ecdsa": communication with agent failed

Background: GNOME uses gnome-keyring-daemon to provide ssh-agent functionality, but gnome-keyring-daemon is not a fully functional replacement for ssh-agent. Most importantly, it doesn't support elliptic curve keys; this has been known for five years. Another bug summarizes some of other deficiencies of gnome keyring. A similar problem used to exist for gnome-keyring-daemons GPG agent functionality, which has been settled by disabling GPG in GNOME keyring.

(Note: I am not saying that the GNOME keyring daemon is bad, it's just not as feature-complete as some of the stuff it is trying to replace.)

To enable full ssh functionality, the ssh component of gnome-keyring-daemon must be replaced by the genuine ssh-agent. The following instructions demonstrate how that can be done on Fedora 24; the procedure should work on other recent Fedora releases, too. The procedure below does not disable or harm other functionality of GNOME keyring.

Disabling the ssh component of gnome-keyring-daemon

Fedora contains desktop files for the various components of GNOME keyring. Disable the ssh component by copying it to the personal configuration directory and disabling autostart for it:

cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
echo "X-GNOME-Autostart-enabled=false" >>~/.config/autostart/gnome-keyring-ssh.desktop

If you want to do that for all users, edit /etc/xdg/autostart/gnome-keyring-ssh.desktop in place. (You can try to disable this autostart component using gnome-tweak-tool instead, but it didn't work for me).

In Fedora 24, gnome-keyring-daemon is actually not started via the GNOME/XDG autostart mechanism, but via PAM. This functionality is provided by the package gnome-keyring-pam. The package can't be simply deinstalled without breaking major dependencies. Rather, files in /etc/pam.d need to be hand-edited. Lines containing "pam_gnome_keyring.so auto_start" need to be removed or commented out.

# Backup the contents of /etc/pam.d before running this!!!!
# Before leaving the root session running this script, verify that you can still log in !!
for x in /etc/pam.d/*; do 
    [[ -L "$x" ]] && continue
    sed -i '/pam_gnome_keyring.so *auto_start/s/^/## DISABLED ## /' "$x"
done

Note that this doesn't completely disable the gnome-keyring PAM functionality; just the autostart of the daemon.

Enabling pam_ssh

The pam_ssh package provides the functionality to start user sessions under ssh-agent. Again, manual editing of PAM configuration files is required. It would make sense to put pam_ssh in the common "postlogin" file but that file might be overwritten by authconfig, which unfortunately has no pam_ssh support as of 2016. Therefore here is a small shell code that adds pam_ssh wherever postlogin is referenced:

# Backup the contents of /etc/pam.d before running this!!
# Before leaving the root session running this script, verify that you can still log in !!
cat >/tmp/pam_ssh.sed <<EOF
/session *include *postlogin/i\
session     optional      pam_ssh.so
/auth *include *postlogin/i\
auth        optional      pam_ssh.so use_first_pass keyfiles=id_ecdsa,id_dsa,id_rsa,identity
EOF
for x in /etc/pam.d/*; do 
    [[ -L "$x" ]] && continue
    sed -i -f /tmp/pam_ssh.sed "$x"
done

If you have SELinux enabled in enforcing mode, you will have to add a custom policy module to make everything wor. Create a file called pam_ssh.te with the following content:

module pam_ssh 1.0;
require {
    type ssh_agent_exec_t;
    type unconfined_t;
    class file { entrypoint };
}
#============= unconfined_t ==============
allow unconfined_t ssh_agent_exec_t:file entrypoint;

Then compile and load the policy module (requires policycoreutils-devel to be installed):

make -f  /usr/share/selinux/devel/Makefile
semodule -i pam_ssh.pp

Depending on your system configuration, more SELinux tweaking may be necessary. I recommend to test in permissive mode first (setenforce 0) and to run audit2allow -b to generate a suitable policy module.

I admit that this isn't actually a question because it includes the answer already, yet I thought this was the right place for this post.