DTEK

Web Strategy for Progressive Causes and Big Ideas

How to stop Gnome Keyring from clobbering OpenSSH's ssh-agent on Ubuntu 12.04

Andy's picture
Wed, 09/19/2012 - 10:59pm -- Andy

Recently installing Ubuntu on a new machine for the first time in a while, I was reminded of some obnoxious and potentially dangerous behavior regarding SSH agent (as articulated by my friend dkg a few years ago). In particular, Gnome Keyring is started by default, has some behavior that I don't like, and is difficult to disable in favor of the SSH agent provided by Open SSH that I prefer. The Gnome Keyring behavior I don't like is:

  • It loads all keys in ~/.ssh automatically at startup
  • You cannot remove these keys, even with ssh-add -D, and...
  • The agent does not respect certain important constraints on added keys, such as the -c option, to be sure I have to confirm the use of loaded keys
arh1@wizzo:~$ ssh-add -l
2048 85:2f:aa:53:6d:f4:8b:9e:91:61:21:f3:84:23:79:7f arh1@test (RSA)
2048 54:34:19:d2:a8:57:de:fe:03:4f:68:c7:5a:b9:ea:1f arh1@wizzo (RSA)
arh1@wizzo:~$ ssh-add -c
Enter passphrase for /home/arh1/.ssh/id_rsa: 
Identity added: /home/arh1/.ssh/id_rsa (/home/arh1/.ssh/id_rsa)
The user must confirm each use of the key # NOTE: This constraint is NOT respected
arh1@wizzo:~$ ssh-add -D
All identities removed.
arh1@wizzo:~$ ssh-add -l
2048 85:2f:aa:53:6d:f4:8b:9e:91:61:21:f3:84:23:79:7f arh1@test (RSA)
2048 54:34:19:d2:a8:57:de:fe:03:4f:68:c7:5a:b9:ea:1f arh1@wizzo (RSA)
arh1@wizzo:~$

For these reasons, I would much rather use Open SSH's implementation of ssh-agent, but keeping Gnome Keyring from clobbering it took a little digging. Per Gnome's documentation, I can disable its SSH Agent to use the one I prefer. Simply keeping the Gnome Keyring SSH Agent daemon from starting automatically with Unity does the trick, but as of Ubuntu 12.04 (Precise Pangolin), many startup applications are hidden from the Startup Applications manager by default.

To "unhide" the Gnome Keyring SSH Agent daemon, I changed NoDisplay=true to NoDisplay=false in Gnome Keyring's SSH Agent X desktop configuration file:

arh1@wizzo:~$ sudo vim /etc/xdg/autostart/gnome-keyring-ssh.desktop 
[sudo] password for arh1: 
arh1@wizzo:~$

At that point, "SSH Key Agent - GNOME Keyring: SSH Agent" appeared in the Startup Applications manager.

From there, I could uncheck the GNOME Keyring in the Startup Applications managaer, restart my Unity session, and I was back to my trusty Open SSH ssh-agent:

arh1@wizzo:~$ ssh-add -l
The agent has no identities.
arh1@wizzo:~$ ssh-add -c
Enter passphrase for /home/arh1/.ssh/id_rsa: 
Identity added: /home/arh1/.ssh/id_rsa (/home/arh1/.ssh/id_rsa)
The user must confirm each use of the key # Now this constraint IS respected
arh1@wizzo:~$ ssh-add -l
2048 85:2f:aa:53:6d:f4:8b:9e:91:61:21:f3:84:23:79:7f /home/arh1/.ssh/id_rsa (RSA)
arh1@wizzo:~$ ssh-add -D
All identities removed.
arh1@wizzo:~$ ssh-add -l
The agent has no identities.
arh1@wizzo:~$ 

Comments

Submitted by Matt Levavi (not verified) on

I couldn't figure out how come even with ssh-agent killed I was not being prompted for ssh key passphrases. This was helpful.

Thanks.

Submitted by Mansha (not verified) on

Uh are you sure? The upstream reoprt is closed as FIXED with the implication that it's in 3.4.0, and we certainly have 3.4.0 in F17. I have not noticed such a bug at all on my desktop, ssh key handling works fine

Andy's picture
Submitted by Andy on

The behavior above was on a new laptop with a clean installation of Pangolin. Are you also running Pangolin and Gnome Keyring on your desktop?

Submitted by Fred (not verified) on

What do you mean? A couple of weeks back I even clciked the checkbox in the new Shell enter passphrase dialog and my SSH key gets automatically unlocked on login.

Andy's picture
Submitted by Andy on

The SSH keys getting automatically loaded at login is part of the behavior I don't like. Maybe you disagree, though!

Submitted by Tobi (not verified) on

Nice work and I hoped it would help me with my ssh problem, but it didn't
In my case all my servers deny a certain key when used on my lubutnu which is locally installed on my laptop. But when I use exactly the same key on my lubuntu as virtual machine (vmware under Windows 7) then login is granted. As well I can access the servers with the same key from my workplace (centos 6.3). Just my local installed lubuntu on my laptop does not work. On the server side I can see in the logs that the key is denied. I compared md5sums of the key, they're identical.
So I saw your post and tried if this could be the problem in my case, but unfortunately is not

RT @Dries: We just released Drupal 8 beta 1: https://t.co/T7v8SHBIHR Huge thank-you to everyone who contributed! 3 days 21 hours ago
It's launch day for our project, so as always thanks, family, for your patience and support! Returning to my normal self shortly :) 4 days 23 hours ago
Unfortunately, but hilariously, @zefrank made me spray my chili all over my coworkers in a fit of laughter at lunch today 5 days 13 hours ago
Nice @LeafletJS map with choropleth on that @CloudFlare SSL blog post, too. https://t.co/IUT7coo6K2 1 week 1 hour ago
RT @trevortimm: Huge. @CloudFlare turning on HTTPS for all its customers. 2 million sites will be encrypted by the end of the day. https://… 1 week 2 hours ago

DTEK delivered on my job under pressing deadlines and often shifting priorities. They gave me just what I needed when I needed it and I'm already seeing the returns.

- Felix L.