Ubuntu 17.04, openssh certificates, ssh-agent and fights with gnome-session + gnome-keyring-ssh
Hey folks, I decided it was time to upgrade my SSH key, so I set about creating a new one. I reacquainted myself with ssh-keygen, created a key with recommended options, and then worried because it was failing to work. ... I then found out that the recommended options which cover for some of keygen's previous format limitations are not supported by gnome-keyring-ssh. So, I found the instructions for turning off gnome-keyring-ssh and turning on normal ssh-agent. ... but then I realised my keys still weren't propagating to programs I ran (primarily ssh + rsync using ssh from command line) So I hacked around it with some stuff in .bashrc (I know, not pretty). export SSH_AGENT_PID="${SSH_AGENT_PID:-$(ps -o pid,ppid,command -u $(whoami) | grep '[s]sh-agent' | head -n 1 | awk '{print $1}')}" export SSH_AGENT_PPID="${SSH_AGENT_PPID:-$(ps -o pid,ppid,command -u $(whoami) | grep '[s]sh-agent' | head -n 1 | awk '{print $2}')}" export SSH_AUTH_SOCK="${SSH_AUTH_SOCK:-$(find /tmp -mindepth 2 -maxdepth 2 -name "agent.${SSH_AGENT_PPID}" 2>/dev/null | head -n 1)}" ... and this worked for a little bit, but then I found that: 1. This wasn't propagating to programs invoked from launcher (think Remmina) 2. That an update of some sort was now messing with the SSH_AUTH_SOCK variable I tweaked my bashrc hack job: export SSH_AUTH_SOCK="$(find /tmp -mindepth 2 -maxdepth 2 -name "agent.${SSH_AGENT_PPID}" 2>/dev/null | head -n 1)" ... but then wondered about: 1. Why was something that looked like gnome-keyring-ssh setting the path in SSH_AUTH_SOCK to something that didn't exist 2. How I could have the right variables set early enough that things "just work" for both command line and GUI launched apps Doing some reading, it seems like some hacks have been made to gnome-session and friends on the assumption that gnome-keyring is the default, so SSH_AUTH_SOCK should always point to where it puts things. In 17.10 (which I haven't moved to yet until they figure out a stable way of doing remote desktop into a machine running Wayland - I use connection to x11vnc over SSH to be able to interact with console session), apparently there is a variable one sets called GSM_SKIP_SSH_AGENT_WORKAROUND (and I thought my .bashrc was a hack job), though the suggestions I looked at didn't give me much luck in my 17.04 configuration. So, after that large chunk of explanation :) - Anyone else using SSH certificates on a linux GUI desktop? - How are you doing it? Anthony
Anthony via luv-main <luv-main@luv.asn.au> writes:
So, I found the instructions for turning off gnome-keyring-ssh and turning on normal ssh-agent. ... but then I realised my keys still weren't propagating to programs I ran (primarily ssh + rsync using ssh from command line) So I hacked around it with some stuff in .bashrc (I know, not pretty).
I run the following script after I login with gnome: --- begin --- [brian@prune:~] 130 % cat ~/common/hack_socket #!/bin/sh -ex rm -f "$SSH_AUTH_SOCK" ssh-agent -a "$SSH_AUTH_SOCK" --- end --- No, I don't like this one bit. But it seems to work for me. (also would like to have it NOP if I have already run it...) -- Brian May <brian@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
participants (2)
-
Anthony -
Brian May