I am connecting using ssh to a server. I have set up SSH Key-Based Authentication to this server.
After typing in a terminal ssh user@server.tld I will be ask in GUI to enter my passphrase to my private key (.ssh).
I don’t want to store the passphrase in the gnome-keyring.
When poping up this small GUI window I cannot switch any more to my KeePassXC password safe to get my passphrase. The display is fully blocked when the small GUI window shows up.
So I would like to be asked directly in my terminal instead in a separate GUI window.
I already consult the man pages for ssh, ssh_config, etc. I did many try and error for ex. SSH_ASKPASS_REQUIRE="force" ssh user@server.tld or unset SSH_ASKPASS ssh user@server.tld or SSH_TTY=$(tty) ssh user@server.tld
…
On my systems I only need to properly configure the keys on both the client and the host.
Since I am working with a local network at home I simply copy all the files from ~/.ssh on the client to the same location on the server then when I log in it never asks for a password but automatically allows connection without the password. I use the same ~/.ssh/* files on all my systems and can use rsync and ssh interchangeably (bidirectional) from any host to any other host that has the same keys.
The only files that sometimes may present a problem are the ~/.ssh/known-hosts files which may have incorrect UUIDs and possibly require editing to remove offending entries. Other than that it requires nothing except copying the keys.
Yes I can avoid to be ask for the passphrase. Simply I could mark the checkbox “Unlock the key on Login” to True in GUI. Then the Password is stored in Gnome key-ring. Then I will never be ask for the passphrase.
But for some good reason I would like to be ask always for the passphrase in the terminal.
I am not sure it is possible to have it both ways. Only with the gnome key-ring (which is a separate function) could the gui perform differently than a terminal. If you do not set the ssh keys then it should always ask for the password and the key-ring could provide it from the gui while you manually enter it in the terminal.
I had one user who used the key-ring and forgot his master key to unlock the key-ring. Those entries were lost forever, even with running a system for months to attempt to recover his master key.
I think I achieved some success by installing pinentry-tty and exporting PINENTRY_BINARY=“/usr/bin/pinentry-tty” before I spawned gpg-agent and ssh-agent.
The relevant section of my ~/.bash_profile:
# Run Sway on TTY1
if [[ -x /usr/bin/sway ]] && [[ $(tty) == /dev/tty1 ]]; then
printf 'launching sway ...\n'
exec 0<&- &> /dev/null
export PINENTRY_BINARY="/usr/bin/pinentry-tty"
export GPG_TTY='/dev/tty1'
if [[ -z $SSH_AUTH_SOCK_GPG ]]; then
export SSH_AUTH_SOCK_GPG="$(gpgconf --list-dirs agent-ssh-socket)"
fi
if [[ -x /usr/bin/ssh-agent ]]; then
exec /usr/bin/ssh-agent -a "$XDG_RUNTIME_DIR/ssh.socket" /usr/bin/sway
else
exec /usr/bin/sway
fi
fi
Then, after signing out and back in, I got the following (redacted):
$ ssh example.com
Please unlock the card
Number: XX XXX XXX
Holder: Your's Truely
PIN:
But in that case, it was going through gpg-agent and I have pinentry-program /usr/bin/pinentry in ~/.gnupg/gpg-agent.conf.
I consult all the man pages a bit more in detail - so I got it now.
The GUI window to enter the passphrase is managed by the gnome-keyring-daemon.
gnome-keyring-daemon is working as default and act also as “agent” for GnuPG and ssh.
I assume that there is no easy way to avoid the input of the passphrase by the GUI window and to bypass to a terminal.
So all my tries with SSH_... ssh user@server.tld were more or less useless.
But we have ssh-agent.
eval $(ssh-agent -t 15m) && ssh-add will ask for the passphrase in the terminal. And with -t 15m I can control the lifetime of the given passphrase w/o entering again in the next 15 minutes.
Ah, right, what agent ssh will connect to is controlled by the SSH_AUTH_SOCK variable. You’d need to make sure that is pointing at the socket created by ssh-agent, not the one that goes to gnome-keyring-daemon.
Adding IdentityAgent $SSH_AUTH_SOCK (or IdentityAgent $SSH_AUTH_SOCK_GPG as the case may be) to your ~/.ssh/config might also help.
Yes, the password gnome-keyring to store my evolution mail account passwords for autologin in evolution accounts.
I am interesting to avoid the gnome-keyring ssh agent funcs only.
No. authselect disable-feature with-pam-gnome-keyring -b
has no effect. authselect list-features local shows the same list as before.
gnome-keyring is still active.
To disable ssh “agent” from gnome-keyring: mkdir -p ~/.config/autostart cd ~/.config/autostart cp /etc/xdg/autostart/gnome-keyring-ssh.desktop . vim gnome-keyring-ssh.desktop
Add at the end of the file:
X-GNOME-Autostart-enabled=false
reboot
Then $SSH_AUTH_SOCK is empty then and ssh-agent and ssh-add can be used.
The stored passwords in gnome-keyring (ex. to evolution emails) still exists and will be triggered when launching evolution w/o entering the password.
To delete the gnome-keyring identities (like ssh-add -D): rm -rf ~/.local/share/keyrings
Maybe there are better ways, but this is what I found out …
