Ssh-keyring not really working at login

Ask Fedora
,
1

Check out this screenshot.

image
image1258×599 94.2 KB

I login, I try ssh to any of my servers and it hangs indefinitely, hence the `timeout` command.

Then, I just run ``ssh-add`` and it will add two of my keys, again, to the keyring. Then, everything works.

Any idea of why this is failing? I have seahorse installed and in place. This started happening in a clean reinstallation of Fedora 43.

I forgot to mention that the key I use for ssh is the renich@introdesk key (ED25519). That one isn’t present at login, which is weird.

3

Thank you for replying. I saw no changes.

renich@desktop ~$ ls -Zal ~/.ssh
total 180
drwx------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        544 Nov 22 20:49 .
drwx------. 1 renich renich unconfined_u:object_r:user_home_dir_t:s0  1044 Nov 25 03:49 ..
drwx------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        266 Jun 10 19:10 config.d
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0         98 Aug  8  2023 authorized_keys
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        498 Aug  8 19:32 config
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       1089 Nov  6 08:03 google_compute_known_hosts
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        464 Apr 19  2023 id_ed25519
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        444 Apr 19  2023 id_ed25519_fedora
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0         95 Apr 19  2023 id_ed25519_fedora.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0         96 May 24  2024 id_ed25519.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       6446 Apr 19  2023 id_rsa
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       2675 Jun 13  2024 id_rsa_2048
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        567 Nov 20 04:07 id_rsa_2048.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       3434 Jun 13  2024 id_rsa_4096
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        739 Nov 20 04:08 id_rsa_4096.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       6446 Apr 19  2023 id_rsa_fedora
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       1419 Apr 19  2023 id_rsa_fedora.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       1424 May 24  2024 id_rsa.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0      57274 Nov 23 22:44 known_hosts
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0      56891 Nov 22 20:49 known_hosts.old
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0          0 Dec 21  2023 known_hosts.XXXXcTwxHF

renich@desktop ~$ restorecon -FR ~/.ssh

renich@desktop ~$ ls -Zal ~/.ssh
total 180
drwx------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        544 Nov 22 20:49 .
drwx------. 1 renich renich unconfined_u:object_r:user_home_dir_t:s0  1044 Nov 25 03:49 ..
drwx------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        266 Jun 10 19:10 config.d
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0         98 Aug  8  2023 authorized_keys
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        498 Aug  8 19:32 config
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       1089 Nov  6 08:03 google_compute_known_hosts
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        464 Apr 19  2023 id_ed25519
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        444 Apr 19  2023 id_ed25519_fedora
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0         95 Apr 19  2023 id_ed25519_fedora.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0         96 May 24  2024 id_ed25519.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       6446 Apr 19  2023 id_rsa
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       2675 Jun 13  2024 id_rsa_2048
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        567 Nov 20 04:07 id_rsa_2048.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       3434 Jun 13  2024 id_rsa_4096
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0        739 Nov 20 04:08 id_rsa_4096.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       6446 Apr 19  2023 id_rsa_fedora
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       1419 Apr 19  2023 id_rsa_fedora.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0       1424 May 24  2024 id_rsa.pub
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0      57274 Nov 23 22:44 known_hosts
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0      56891 Nov 22 20:49 known_hosts.old
-rw-------. 1 renich renich unconfined_u:object_r:ssh_home_t:s0          0 Dec 21  2023 known_hosts.XXXXcTwxHF

Also, permissions are correct for `~renich`.

5

On my PC, I can see two ssh-add processes using almost 100% CPU. Mine is a clean F43 installation.

$ ps -eo pid,pcpu:14,comm | grep -E "ssh-add|%CPU"
    PID           %CPU COMMAND
   8752           99.5 ssh-add
   9285           99.5 ssh-add

This shows up right after login.

6

Are the two keys id_rsa and id_ed25519 protected by a passphrase and the others are not? Or do all keys have a passphrase?

The fact that you need to load two keys a second time and that you show two stuck ssh-add processes makes me very suspicious. Maybe gcr is trying to auto-add identities at a point before it can prompt for passwords and it gets stuck?

Hmmm, looking at your .ssh directory, maybe this is just a coincidence for these two keys, because they are the only two files with default names. All other identities seem to have a suffix, like the key size or ‘_fedora’.

7

The hung ssh-add processes are a mystery. Are you doing something like executing these out of an init file? If those processes are associated with a terminal, those ssh-add commands may be sitting waiting for passwords to unlock keys associated with the default keyfiles it looks for when it’s invoked without an argument. Can you run the tty and ps commands to check that there’s no pseudo-terminal hanging around?

But, this

I believe can be, at least partly, explained. From the man page for ssh-add:

When run without arguments, it adds  the files  ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519 and ~/.ssh/id_ed25519_sk.

I’m guessing that the two keys it prompts you for passwords for are the only keyfiles that match any of those identity files.

8

All ssh keys have passphrases.

The other thing is that after killing the processes, I just rerun ssh-add and everything works as expected.

9

I do not have any init process or any custom thing trying to load them.

This is a brand new fotografía installation. The only distinctive thing is that I created a btrfs sub volume for /boot but that is irrelevant in my opinion.

Right now I am AFK. As soon as I get back to my computer paste the commands you requested.

One thing I really need to point out is the 99% CPU usage on both processes.

Thank you, both, for the replies and the interest.

10

As @jrredho pointed out, ssh-add without arguments tries to load a bunch of identities with default names. It shows that it loads two, id_rsa and id_ed25519. And you show one connection attempt. Do the other keys work, too? (Before/after ssh-add?)

11

Maybe when you look at those controlling terminals, take a look at the parent processes via their PPIDs for those hanging ssh-add commands to see if they give us another clue on what’s going on.

Also,

So, since I see you have other keyfiles not cited in that man page for ssh-add, are you not being prompted for the other passwords anywhere else?

Boggle

12

My working theory is that some mechanism in Gnome or gcr tries to load every file in ~/.ssh/ that starts with id_ and does not end in .pub. And somehow it cannot prompt for a passphrase, and as a result the keys are added in this broken state.

Then, when running ssh-add again, it finds the two files with standard names, prompts for their passphrases, and then adds them properly, after which point a connection that uses one of these two identities works.

That’s why I asked if connections with the other identities work, too.

1 Like
13

Yeah, sorry I missed that point in your previous post. Maybe the PPIDs will give us an idea of what that automated process is.

1 Like
14

No worries, it was just a sidenote. And I wasn’t really explaining my train of thought very well.

15

The other keys work fine. And, as you can see in the output of my commands up there, they load fine as well. They’re all protected by passphrases.

16

This happens as soon as I login. I don’t see the prompts anywhere. I do have `ask-pass` installed. So no; I don’t see the prompt anywhere else.

17

Interesting that only two keys do not work.

Sorry to be pedantic, but that is not something your screenshot shows. At first, it shows 6 identities, but a connection attempt fails. Then you run ssh-add, which adds id_ed25519 and id_rsa, because these are some of the default filenames it looks for. In particular, it won’t attempt to load id_ed25519_fedora, id_rsa_2048, id_rsa_4096, or id_rsa_fedora, because these are not default filenames. Then it shows the same 6 identities and the same connection attempt now works. That just proves that one of the two added identities appears to have fixed something with respect to this SSH server.

18

No worries, you’re not pedantic. The idea of the screenshot was to show the difference of keys loaded prior to the fix and post fix. I know that the keys show have non-standard names, yet, they get loaded by the agent. I do nothing to load them. My guess is that seahorse is doing it for me somehow.

More to the matter, I cannot reproduce anymore. I’m checking my updates since Nov 25th:

renich@desktop ~$ dnf history list | head -n 10
 ID Command line                         Date and time       Action(s) Altered
100 dnf -y upgrade --refresh             2025-11-25 16:13:31                86
 99 dnf install fd                       2025-11-25 13:47:21                 2
 98 dnf install powerline-fonts tmux-pow 2025-11-25 13:40:07                 4
 97 dnf -y upgrade --refresh             2025-11-24 18:06:38                26
 96 dnf install python3-pygments python3 2025-11-24 11:41:03                 4
 95 dnf -y install --nogpgcheck --disabl 2025-11-23 10:34:07                 2
 94 dnf -y upgrade --refresh             2025-11-23 10:32:52               314
 93 dnf -y upgrade --refresh             2025-11-21 01:35:05                16
 92 dnf install libssh2-devel            2025-11-20 09:06:47                 1

renich@desktop ~$ for n in {100..98}; do dnf history info $n; done
Transaction ID : 100
Begin time     : 2025-11-25 16:13:31
Begin rpmdb    : d93e7261bd8f0cf76f90553d20f977fde7de667f3949e99fb02fdc4f1da2cba2
End time       : 2025-11-25 16:13:42
End rpmdb      : 47f3112614970a003f9b899a6ecd46af87d41277d9a81a16c3fceb9eef3b6751
User           : 1000 Rénich Bon Ćirić <renich>
Status         : Ok
Releasever     : 43
Description    : dnf -y upgrade --refresh
Comment        : 
Packages altered:
  Action   Package                                          Reason          Repository
  Upgrade  clang-0:21.1.6-1.fc43.x86_64                     Weak Dependency updates
  Upgrade  clang-libs-0:21.1.6-1.fc43.x86_64                Dependency      updates
  Upgrade  clang-resource-filesystem-0:21.1.6-1.fc43.x86_64 Dependency      updates
  Upgrade  clang-tools-extra-0:21.1.6-1.fc43.x86_64         Weak Dependency updates
  Upgrade  libomp-devel-0:21.1.6-1.fc43.x86_64              Weak Dependency updates
  Upgrade  compiler-rt-0:21.1.6-1.fc43.x86_64               Weak Dependency updates
  Upgrade  libomp-0:21.1.6-1.fc43.x86_64                    Weak Dependency updates
  Upgrade  llvm-libs-0:21.1.6-1.fc43.x86_64                 Dependency      updates
  Upgrade  llvm-filesystem-0:21.1.6-1.fc43.x86_64           Dependency      updates
  Upgrade  llvm-test-0:21.1.6-1.fc43.x86_64                 Dependency      updates
  Upgrade  llvm-devel-0:21.1.6-1.fc43.x86_64                User            updates
  Upgrade  llvm-0:21.1.6-1.fc43.x86_64                      Dependency      updates
  Upgrade  llvm-libs-0:21.1.6-1.fc43.i686                   Dependency      updates
  Upgrade  llvm-googletest-0:21.1.6-1.fc43.x86_64           Dependency      updates
  Upgrade  llvm-static-0:21.1.6-1.fc43.x86_64               Dependency      updates
  Upgrade  llvm-filesystem-0:21.1.6-1.fc43.i686             Dependency      updates
  Upgrade  dracut-sshd-0:0.7.1-3.fc43.noarch                User            updates
  Upgrade  duplicity-0:3.0.6-3.fc43.x86_64                  External User   updates
  Upgrade  enchant2-0:2.8.14-1.fc43.x86_64                  Dependency      updates
  Upgrade  gnutls-0:3.8.11-4.fc43.x86_64                    Dependency      updates
  Upgrade  gnutls-utils-0:3.8.11-4.fc43.x86_64              Group           updates
  Upgrade  gnutls-dane-0:3.8.11-4.fc43.x86_64               Dependency      updates
  Upgrade  gnutls-0:3.8.11-4.fc43.i686                      External User   updates
  Upgrade  ibus-typing-booster-0:2.28.5-1.fc43.noarch       Group           updates
  Upgrade  javascriptcoregtk4.1-0:2.50.2-1.fc43.x86_64      Dependency      updates
  Upgrade  webkit2gtk4.1-0:2.50.2-1.fc43.x86_64             Dependency      updates
  Upgrade  javascriptcoregtk6.0-0:2.50.2-1.fc43.x86_64      Dependency      updates
  Upgrade  webkitgtk6.0-0:2.50.2-1.fc43.x86_64              Dependency      updates
  Upgrade  libffi-0:3.5.2-1.fc43.x86_64                     Dependency      updates
  Upgrade  libffi-0:3.5.2-1.fc43.i686                       Dependency      updates
  Upgrade  libffi-devel-0:3.5.2-1.fc43.x86_64               Dependency      updates
  Upgrade  mesa-dri-drivers-0:25.2.7-3.fc43.x86_64          Group           updates
  Upgrade  mesa-filesystem-0:25.2.7-3.fc43.x86_64           Dependency      updates
  Upgrade  mesa-libgbm-0:25.2.7-3.fc43.x86_64               Dependency      updates
  Upgrade  mesa-libGL-0:25.2.7-3.fc43.x86_64                Dependency      updates
  Upgrade  mesa-libEGL-0:25.2.7-3.fc43.x86_64               Dependency      updates
  Upgrade  mesa-dri-drivers-0:25.2.7-3.fc43.i686            Group           updates
  Upgrade  mesa-libgbm-0:25.2.7-3.fc43.i686                 External User   updates
  Upgrade  mesa-libGL-0:25.2.7-3.fc43.i686                  External User   updates
  Upgrade  mesa-libEGL-0:25.2.7-3.fc43.i686                 External User   updates
  Upgrade  mesa-filesystem-0:25.2.7-3.fc43.i686             Dependency      updates
  Upgrade  mesa-vulkan-drivers-0:25.2.7-3.fc43.x86_64       Group           updates
  Upgrade  mesa-vulkan-drivers-0:25.2.7-3.fc43.i686         Group           updates
  Replaced clang-0:21.1.5-1.fc43.x86_64                     Weak Dependency @System
  Replaced clang-libs-0:21.1.5-1.fc43.x86_64                Dependency      @System
  Replaced clang-resource-filesystem-0:21.1.5-1.fc43.x86_64 Dependency      @System
  Replaced clang-tools-extra-0:21.1.5-1.fc43.x86_64         Weak Dependency @System
  Replaced compiler-rt-0:21.1.5-1.fc43.x86_64               Weak Dependency @System
  Replaced dracut-sshd-0:0.7.1-2.fc43.noarch                User            @System
  Replaced duplicity-0:3.0.5.1-3.fc43.x86_64                External User   @System
  Replaced enchant2-0:2.8.12-2.fc43.x86_64                  Dependency      @System
  Replaced gnutls-0:3.8.11-1.fc43.x86_64                    Dependency      @System
  Replaced gnutls-0:3.8.11-1.fc43.i686                      External User   @System
  Replaced gnutls-dane-0:3.8.11-1.fc43.x86_64               Dependency      @System
  Replaced gnutls-utils-0:3.8.11-1.fc43.x86_64              Group           @System
  Replaced ibus-typing-booster-0:2.28.4-1.fc43.noarch       Group           @System
  Replaced javascriptcoregtk4.1-0:2.50.1-1.fc43.x86_64      Dependency      @System
  Replaced javascriptcoregtk6.0-0:2.50.1-1.fc43.x86_64      Dependency      @System
  Replaced libffi-0:3.5.1-2.fc43.x86_64                     Dependency      @System
  Replaced libffi-0:3.5.1-2.fc43.i686                       Dependency      @System
  Replaced libffi-devel-0:3.5.1-2.fc43.x86_64               Dependency      @System
  Replaced libomp-0:21.1.5-1.fc43.x86_64                    Weak Dependency @System
  Replaced libomp-devel-0:21.1.5-1.fc43.x86_64              Weak Dependency @System
  Replaced llvm-0:21.1.5-1.fc43.x86_64                      Dependency      @System
  Replaced llvm-devel-0:21.1.5-1.fc43.x86_64                User            @System
  Replaced llvm-filesystem-0:21.1.5-1.fc43.x86_64           Dependency      @System
  Replaced llvm-filesystem-0:21.1.5-1.fc43.i686             Dependency      @System
  Replaced llvm-googletest-0:21.1.5-1.fc43.x86_64           Dependency      @System
  Replaced llvm-libs-0:21.1.5-1.fc43.x86_64                 Dependency      @System
  Replaced llvm-libs-0:21.1.5-1.fc43.i686                   Dependency      @System
  Replaced llvm-static-0:21.1.5-1.fc43.x86_64               Dependency      @System
  Replaced llvm-test-0:21.1.5-1.fc43.x86_64                 Dependency      @System
  Replaced mesa-dri-drivers-0:25.2.7-2.fc43.x86_64          Group           @System
  Replaced mesa-dri-drivers-0:25.2.7-2.fc43.i686            Group           @System
  Replaced mesa-filesystem-0:25.2.7-2.fc43.i686             Dependency      @System
  Replaced mesa-filesystem-0:25.2.7-2.fc43.x86_64           Dependency      @System
  Replaced mesa-libEGL-0:25.2.7-2.fc43.x86_64               Dependency      @System
  Replaced mesa-libEGL-0:25.2.7-2.fc43.i686                 External User   @System
  Replaced mesa-libGL-0:25.2.7-2.fc43.x86_64                Dependency      @System
  Replaced mesa-libGL-0:25.2.7-2.fc43.i686                  External User   @System
  Replaced mesa-libgbm-0:25.2.7-2.fc43.x86_64               Dependency      @System
  Replaced mesa-libgbm-0:25.2.7-2.fc43.i686                 External User   @System
  Replaced mesa-vulkan-drivers-0:25.2.7-2.fc43.x86_64       Group           @System
  Replaced mesa-vulkan-drivers-0:25.2.7-2.fc43.i686         Group           @System
  Replaced webkit2gtk4.1-0:2.50.1-1.fc43.x86_64             Dependency      @System
  Replaced webkitgtk6.0-0:2.50.1-1.fc43.x86_64              Dependency      @System

Transaction ID : 99
Begin time     : 2025-11-25 13:47:21
Begin rpmdb    : 66924b98dad6081798beefb2b8374460d27d02737e0efa403ee26afe59064f8a
End time       : 2025-11-25 13:47:22
End rpmdb      : d72a0d9a96e78632ad73919392aabba3a3b53805933472a6e78532f817c3c498
User           : 1000 Rénich Bon Ćirić <renich>
Status         : Ok
Releasever     : 43
Description    : dnf install fd
Comment        : 
Packages altered:
  Action  Package                         Reason     Repository
  Install fd-find-0:10.3.0-1.fc43.x86_64  User       updates
  Install jemalloc-0:5.3.0-13.fc43.x86_64 Dependency fedora

Transaction ID : 98
Begin time     : 2025-11-25 13:40:07
Begin rpmdb    : 7d9deb9f30213f1b9b7482fdb319f13a7b8c727579be4b03784b1b8509612bc3
End time       : 2025-11-25 13:40:09
End rpmdb      : 66924b98dad6081798beefb2b8374460d27d02737e0efa403ee26afe59064f8a
User           : 1000 Rénich Bon Ćirić <renich>
Status         : Ok
Releasever     : 43
Description    : dnf install powerline-fonts tmux-powerline vim-powerline
Comment        : 
Packages altered:
  Action  Package                                Reason     Repository
  Install powerline-fonts-0:2.8.4-17.fc43.noarch User       fedora
  Install tmux-powerline-0:2.8.4-17.fc43.noarch  User       fedora
  Install vim-powerline-0:2.8.4-17.fc43.noarch   User       fedora
  Install powerline-0:2.8.4-17.fc43.x86_64       Dependency fedora

The other thing I did was update the comment of my keys with ssh-keygen -c -f ~/.ssh/<private_key> in order to reflect some of their qualities.

That’s it. The problem is now gone.

renich@desktop ~$ ssh-add -l
8192 SHA256:THti4XQK2aRCcVTt3D65zNWnOYdtg1AQJs8D5j9Tu9A renich@desktop-rsa-8192 (RSA)
256 SHA256:3DFsKOg4QeEI1qVne55invnOIFiNFd1IjklHa6FdM20 renich@desktop (ED25519)
3072 SHA256:v5F43Pghb+Jet98S1jD0s0azaYiQRU7A/wJ8/paVBwM renich@desktop-rsa-3072 (RSA)
8192 SHA256:qvasD/Z6z4oW5PJnVyqJjrOWLUfIQdbgD4whzVLQjyI renich@fedora (RSA)
256 SHA256:dxBuwLNUVEt1dovbFRyUrVjGYf+jH5yAyYl6NK5txqA renich@fedora (ED25519)
4096 SHA256:Fmi4EebdPcyJfyFN40iFXIQlX2dBahsbfvYYAsMuqCk renich@desktop-rsa-4096 (RSA)

renich@desktop ~$ ssh root@web1.woralelandia.com 'hostname'
web1.woralelandia.com

I dunno what fixed it.

1 Like
19

Oh, and how did I know that the other keys work fine? Well, ssh fedorapeople.org always worked. The authentication there is done by my fedora keys. Those never stopped working and, I’m telling you, I have no service running that adds them automatically (other than seahorse and GNOME’s login procedure).

In fact, my desktop is set to start on the multi-user.target. When I need a desktop, I systemctl isolate graphical.target.

20

I have a hunch. AFAIK Gnome sets its own graphical SSH_ASKPASS component. This could store the passphrase in the keyring when you enter it the first time and then use it again later to unlock a key. When you changed the key comment, did you do it within Gnome? And are the key passphrases stored in your keyring?

21

Yes, I did it within GNOME. The passphrases have always been stored in the keyring, AFAIK. It was working fine pre grc (in Fedora 42).

22

So, am I reading things correctly that this topic is not actually surrounding questions on ssh/ssh-agent/ssh-add in the end, but one about various aspects of Gnome keyring?