cosmic-epoch
cosmic-epoch copied to clipboard
pop-os
[Issue] SSH key management
With GNOME the keyring is unlocked once you logged in, currently ssh-agent does not start so you need to manually start it with each terminal and use ssh-add to add the keys manually as well.
Personally, I never liked how gnome handled ssh keys. There is a package available named "keychain" in the standard repos. It takes a little effort to configure via your login shell, and IIRC you would need to type your password for each key added once per login.
Potentially related to https://github.com/pop-os/cosmic-epoch/issues/257
I created a small fix here, to add ssh-agent at the bottom of the stack, like we used to do back in the 90:s https://github.com/pop-os/cosmic-session/pull/48 That way you only have to run ssh-add once and then it will work for all your windows.
Here's my solution, in case others may find it useful. I use alacritty for my terminal emulator and always ssh into a server through it (well, actually via zellij after alacritty, but that's not relevant to this) . The way I start alacritty is with a shortcut, which is Ctrl+Alt+T. Previously, I just had this bound to alacritty. I changed it to ssh-agent alacritty and voila, alacritty starts and ssh-agent is running until that instance of alacritty ends (? I'm not sure that's how to phrase it).
I also added the following to my ~/.ssh/config so keys are automatically added after first time using ssh:
Host *
AddKeysToAgent yes
Source: https://super-unix.com/unixlinux/start-a-system-wide-ssh-agent/
I created a small fix here, to add ssh-agent at the bottom of the stack, like we used to do back in the 90:s pop-os/cosmic-session#48 That way you only have to run ssh-add once and then it will work for all your windows.
do you think that it might be a good idea to have a config with extra processes that are spawned(and then managed) by cosmic-session? As in providing a similar configuration option to how processes can be managed with sway(example) with the caveat that most things are managed by cosmic-session itself.
I can do a PR for this if this sounds like it's worth implementing
It sounds like a good idea, and if we are happy to keep ssh separate from the keyring, then it will probably simply the implementation.
But one thing to think about is to handle is adding of new keys bu providing modal UI popups.
I think gnome keyring is unlocked by a Pam module on login, and then attempts to add all keys based on those credentials. If you use a key with another password, it will prompt you. They still lack support for hardware keys, like yubikey. Well, it works, but I would like a modal dialog saying "Touch youbikey to confine presence.".
So, I guess there are benefits to integrating ssh with the keyring, so possibly add it to oo7? Gnome keyring still just spawn ssh-agent under the hood, so there is not really any magic there except trying to auto add your keys on start up.
It sounds like a good idea, and if we are happy to keep ssh separate from the keyring, then it will probably simply the implementation.
Well this would be more of a stop-gap to setup services not handled yet by Cosmic, or for things that specific user wants, without resorting to creating hidden desktop entries or systemd user services. I think eventually it should be handled without user configuration.
So, I guess there are benefits to integrating ssh with the keyring, so possibly add it to oo7?
I checked out oo7 yesterday. Right now there is a sizeable PR for adding server mode to oo7, closed to 2400 lines and looks like it was branched from main a few months ago. Personally, I'd rather wait until that's merged before attempting to contribute.
As a temporary workaround, I've added this to my .profile:
if [ -z "$SSH_AUTH_SOCK" ]; then
GCR_SSH_SOCK=/run/user/$(id -u)/gcr/ssh
if [ -S $GCR_SSH_SOCK ]; then
export SSH_AUTH_SOCK=$GCR_SSH_SOCK
fi
fi
You can use gcr-4 package, I use this on arch, after u install gcr-4 you can enable the systemd user unit:
systemctl --user enable gcr-ssh-agent.socket
this will at least autostart ssh-agent with the system
do a ssh-add -l see if it will list added keys
source: ArchWiki - 5 SSH keys
Using keychain is another way of getting around this for right now and I believe it will also add the keys (once you set the correct path if the filename is non-standard).
@ahoneybun gcr is a more simple and requires no setup besides 2 commands, to install gcr and to enable the systemd user unit
I did not know about this until I had a problem with Cosmic and Gnome not starting ssh-agent and not remembering the ssh keys I added (had to start the agent and add the key manually everytime).
Now gcr does all the work, it'll work on any distro and any DE(i did many tests)
i'm not sure what I was missing from all the ways to get this working that others brought up, but here's what worked for me:
- start kitty (or another terminal) with ssh-agent:
ssh-agent kitty. Also works starting fish (or another shell) if you don't want to spawn a new terminalssh-agent fish - in the new terminal, check for keys:
ssh-add -l. we're expecting no "Could not open a connection to your authentication agent". If you get that, you probably fucked up step 1. - if a key is missing,
ssh-addwill grab a few keys to add. If you need a specific key that's not added automatically:ssh-add /path/to/private/key
then I was able to use my SSH key correctly
It seems this issue is resolved for on cosmic-term Version: 0.1.0~1760020302~24.04~ff30ca7 (Before I needed to run eval $(ssh-agent -s) && ssh-add <my key> in every new term)
ps aux | grep -E 'ssh-agent|gcr-ssh-agent|gnome-keyring-daemon'
... /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/keyring
... /usr/libexec/gcr-ssh-agent --base-dir /run/user/1000/gcr
These seems to both be running close to startup time with low PIDs (unclear if both need to be running, I think I only want gcr-ssh-agent)
# after running `git pull` that requires ssh, the agent starts automatically:
... /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh
So there is some hook now that starts the agent we need it seems.
