0

I'm trying to set up GNOME-Keyring such that when it is unlocked after login, it will also allow me to use my SSH key, which is encrypted.

This is a Debian 12 system. The key in question is an ed25519 SSH key, located under .ssh/id_ed25519. I am using i3. The exact same setup works fine under an identical setup.

I am prompted for the keyring password after login and other services like Nextcloud only work with the correct password, so I assume that the unlock procedure works just fine. Seahorse (the GNOME keyring GUI) lists the key, so it is known to GNOME keyring.

Status of she GCR ssh-agent wrapper:

systemctl status --user gcr-ssh-agent.socket ● gcr-ssh-agent.socket - GCR ssh-agent wrapper Loaded: loaded (/usr/lib/systemd/user/gcr-ssh-agent.socket; enabled; preset: enabled) Active: active (running) since Sat 2024-03-23 16:17:15 CET; 1h 22min ago Triggers: ● gcr-ssh-agent.service Listen: /run/user/1000/gcr/ssh (Stream) CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/gcr-ssh-agent.socket

The environment variable is set properly and the file exists:

> echo $SSH_AUTH_SOCK /run/user/1000/gcr/ssh > file $SSH_AUTH_SOCK /run/user/1000/gcr/ssh: socket

ssh-add -l lists the key, with the correct name and type.

And yet, when I type ssh my-other-computer, I am prompted for the passphrase for that key.

What am I missing? Thanks in advance for any ideas on how to debug this further!

EDIT: running ssh with -vvv reveals:

debug2: get_agent_identities: ssh_agent_bind_hostkey: communication with agent failed debug1: get_agent_identities: ssh_fetch_identitylist: communication with agent failed

Note that this is a Debian system connecting to another Debian system (no Windows, not a PowerShell issue).

Improve this question
2
  • are you prompted by ssh or are you prompted by gcr? Commented Mar 26, 2024 at 5:45
  • I'm fairly certain I'm prompted by SSH. The prompt's message is the usual one without and keyring config. Commented Mar 26, 2024 at 13:27

1 Answer 1

Reset to default
0

The problem appears to be that Debian 12 uses an older version of gnome-keyring, where /run/user/1000/gcr/ssh is not the socket to use.

Instead, the following old article from Arch Wiki helped me: https://wiki.archlinux.org/index.php?title=GNOME/Keyring&oldid=800764#gnome-keyring-daemon_%22ssh%22_component (note the parameter oldid in the URL).

It describes that the socket /run/user/1000/keyring/ssh should be used. In order to make that one available, the systemd user service of gnome-keyring-daemon.service must be edited to have components=pkcs11,secrets,ssh (note the added ssh). I've also enabled that service in systemd: systemctl --user enable gnome-keyring-daemon.service and after a reboot, the file is there.

Note that this very likely applies for Debian 12 only, in my case gnome-keyring version 42.1.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.