Bug#472477: #472477 ssh-add -D does not remove SSH key from gnome-keyring-daemon memory (workaround)
Clément Hermann
nodens at debian.org
Fri Aug 26 19:35:50 BST 2022
Hi,
So, my workaround for this annoying issue was to use gpg-agent instead.
As a nice side effect, you can then use a gpg key to authenticate.
The tricky part for me was to make sure gnome woudn't try to set
SSH_AUTH_SOCK to gnome keyring anyway.
In case others want to go this route, here is what I've done:
- make sure your gpg-agent can handle ssh agent role by including
`enable-ssh-support` in ~/.gnupg/gpg-agent.conf
(you can also set ttls there while you're at it if you want, e,g,
`default-cache-ttl-ssh 1200`, `max_cache_ttl-ssh 7200`)
- disable ssh component of gnome-keyring in systemd user units:
```
systemctl --user mask gcr-ssh-agent.socket --now
systemctl --user mask gcr-ssh-agent.service --now
```
- disable ssh component of gnome-keyring also in XDG autostart by adding
the Hidden property:
```
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/
echo "Hidden=true" >> ~/.config/autostart/gnome-keyring-ssh.desktop
```
Then restart the session.
Be aware that when you use ssh-add for the first time when having the
gpg-agent socket in SSH_AUTH_SOCK, you'll be first prompted by ssh-add,
then by gpg-agent. Set a passphrase in gpg-agent when prompted,
otherwise it will be stored in clear in your private keys. Usual
gpg-agent stuff applies, it will lock whenever you lock the session, you
get a timeout, etc.
Cheers,
--
nodens
More information about the pkg-gnome-maintainers
mailing list