Re: Upgrade to Bookworm, now GNOME keyring dies--no access to stored SSH key passwords

To: debian-user@lists.debian.org
Subject: Re: Upgrade to Bookworm, now GNOME keyring dies--no access to stored SSH key passwords
From: Max Nikulin <manikulin@gmail.com>
Date: Tue, 15 Aug 2023 09:28:48 +0700
Message-id: <[🔎] ubent2$fqj$1@ciao.gmane.io>
In-reply-to: <[🔎] 20230814003014.2nezc5kdf4tylp5r@n0nb.us>
References: <[🔎] 20230814003014.2nezc5kdf4tylp5r@n0nb.us>

On 14/08/2023 07:30, Nate Bargmann wrote:

I have been using the GNOME keyring applet to manage the SSH public key
passwords I use as it prompts to save passwords and then lets me SSH to
other hosts without out a password prompt.

I do not know how it is arranged in Gnome, but I hope my observationsstill might be helpful.

systems on my LAN and was greeted with a password prompt for the
corresponding public key

To be precise, it is the passphrase do decrypt your *private* key. Apublic key may be known to anybody. Private key is a secret that allowsto prove that you have it without disclosing of this private key.Encryption using a passphrase is a means to mitigate consequences if theprivate key is stolen.

An ssh agent opens a socket and exposes its location through anenvironment variable (perhaps using "systemctl set-environment", but Iam not sure). Try


    env | grep SSH

There are multiple implementations of SSH agents: openssh, gpg,keepassxc(?), perhaps gnome has more (seahorse? I am unsure concerningthe role of secrets service). It may happen that in your case multipleinstances are running:


/usr/lib/systemd/user/ssh-agent.service
/usr/lib/systemd/user/gpg-agent-ssh.socket
/etc/X11/Xsession.d/90x11-common_ssh-agent

GUI prompt may be just a proxy to an actual ssh agent. It just listensits socket and displaying a password prompt on demand and passing othermessages literally.

Now, while typing this email all keyring PIDs have vanished!

It may be a way to minimize RAM usage. The agent may be asocket-activated process.


    systemctl --user list-sockets

Check owner of $SSH_AUTH_SOCK using ss or lsof. It may give some cluewhat is really happening in your case.

I suggest you to add "f" option to "ps" to see process tree. It may helpto find details concerning starting of particular agent.


   ps xwwf

P.S. At certain moment gnome designers decided that password prompt mustbe a modal dialog completely blocking interaction with any otherapplications (including 3rd party password manager). For me it wasanother reason to avoid gnome. I am aware that X11 protocol allows tosniff keyboard events and a measure against it is grabbing input.However I believe mouse still may be a way to call an external passwordmanager. After all, there are may be an option to temporary suspendkeyboard grabbing. I learned about multiple ways to start a ssh agentduring initialization of user session when I was trying to figure outwhich way GUI prompt is implemented and if a more flexible dialog couldbe used instead.

Reply to:

References:
- Upgrade to Bookworm, now GNOME keyring dies--no access to stored SSH key passwords
  - From: Nate Bargmann <n0nb@n0nb.us>

Prev by Date: Re: Disk writes much slower in Bookworm i386 [Was: svnadmin dump ...]
Next by Date: Re: Disk writes much slower in Bookworm i386 [Was: svnadmin dump ...]
Previous by thread: Upgrade to Bookworm, now GNOME keyring dies--no access to stored SSH key passwords
Next by thread: issue after Kernel upgrade
Index(es):
- Date
- Thread