Ssh can't record key password spawn password prompt in gnome 44.4 Fedora 38

Ask Fedora
, , , ,
1

Hi folks
Hope you’re doing well.

I got this issue with my Fedora workstation 38.

My ssh-agent refuse to work correctly and i must type my ssh key’s password each time.

I’ve read from gnome 41 gcr is now the wrapper for gnome-keyring.

It worked at some point but after some reinstalling, home migrations , tweaking it’s broken.

I tried to put some environment variables in ~/.bash_profile

# User specific environment and startup programs
/run/user/1002/gcr/ssh

my user id is 1002

I tried to flush my keys with :

ssh-add -D

i checked if the socket is launched

systemctl --user status gcr-ssh-agent.socket

● gcr-ssh-agent.socket - GCR ssh-agent wrapper
     Loaded: loaded (/usr/lib/systemd/user/gcr-ssh-agent.socket; enabled; preset: disabled)
     Active: active (listening) since Wed 2023-09-13 08:53:10 CEST; 1h 9min ago
   Triggers: ● gcr-ssh-agent.service
     Listen: /run/user/1002/gcr/ssh (Stream)
     CGroup: /user.slice/user-1002.slice/user@1002.service/app.slice/gcr-ssh-agent.socket

Sep 13 08:53:10 IT1-P-L systemd[2537]: Listening on gcr-ssh-agent.socket - GCR ssh-agent wrapper.

my ssh-agent seems to be started

eval $(ssh-agent)

Agent pid 10863

I’m 100% sure i misconfigured something or i am missing some obvious detail here.

Can someone give me a hint ?

Thanks.

Have a nice day.

2

By default, it starts like this:

> grep -e ^Exec= /etc/xdg/autostart/gnome-keyring-ssh.desktop
Exec=/usr/bin/gnome-keyring-daemon --start --components=ssh

Resulting in:

> echo ${SSH_AUTH_SOCK}
/run/user/1000/keyring/ssh

The keys from ${HOME}/.ssh should be added automatically.

3

@vgaetera thank you for your answer :slight_smile:

you’re right i got the same output as yours.

exept my user has 1002 uid:

/run/user/1002/keyring/ssh

when i source my .bashrc (reading .bash_profile) i got :

-bash: /run/user/1002/gcr/ssh: Permission denied

the permissions are :

srw-rw-rw-. 1 user1 user1 0 Sep 13 08:53 /run/user/1002/gcr/ssh

1 Like
4

To be clear, gcr-ssh-agent is disabled and not used by default:

> systemctl --user is-enabled gcr-ssh-agent.{service,socket}
disabled
disabled

> systemctl --user is-active gcr-ssh-agent.{service,socket}
inactive
inactive

If you need to unlock the GNOME keyring in a CLI session detached from the graphical environment, consider using a script like this:

sudo tee /etc/profile.d/unlock-keyring.sh << "EOF" > /dev/null
unlock-keyring() {
read -s -r GKR_PASS
export $(echo -n "${GKR_PASS}" \
| gnome-keyring-daemon --replace --unlock 2> /dev/null)
unset GKR_PASS
}
EOF
. /etc/profile.d/unlock-keyring.sh
5

Thank you very much for this explanation.

I still have a genuine question.

Are all fedora workstations affected and need this snippet ? or is there a more “conventional” solution ?

I mean i doubt fedora maintainers didn’t solve this critical problem.

1 Like
6

The unlock function can be useful when your environment is not inherited.
E.g. a text TTY, remote SSH session, sudo login session, machinectl shell, etc.
But there should be no issue starting a terminal from a graphical session.
It should inherit the relevant environment variables and work by default.
Try a new user with default profile settings and default terminal and shell.

7

You’re absolutely right.

You know what i feel really sorry…

I just found why it happened to my conf.

long time ago i was on ubuntu (for work) I hated it so much i migrated to Fedora including /home directory and the dotfiles whithin. i remember ssh-agent drove me crazy on ubuntu it was messing around so i disabled it.

So please allow me to introduce you the culprit :

.bash_aliases

alias ssh='SSH_AUTH_SOCK= ssh'

I feel very sorry for wasting your time but i learned my lessons.

Thank you.

1 Like