You are not logged in.
FOREWORD
I've already set up GNOME Keyring as described in wiki article. My DE is Cinnamon, I have no login manager and use console-based login (with .xinitrc for TTY1).
/etc/pam.d/login
[12:46 viktor@desolve-lab ~]$ cat /etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth requisite pam_nologin.so
auth include system-local-login
auth optional pam_gnome_keyring.so
account include system-local-login
session include system-local-login
session optional pam_gnome_keyring.so auto_start
~/.xinitrc
[12:48 viktor@desolve-lab ~]$ cat .xinitrc
#!/bin/sh
# merge in defaults and keymaps
userresources=$HOME/.Xresources
usermodmap=$HOME/.Xmodmap
sysresources=/etc/X11/xinit/.Xresources
sysmodmap=/etc/X11/xinit/.Xmodmap
if [ -f $sysresources ]; then
xrdb -merge $sysresources
fi
if [ -f $sysmodmap ]; then
xmodmap $sysmodmap
fi
if [ -f "$userresources" ]; then
xrdb -merge "$userresources"
fi
if [ -f "$usermodmap" ]; then
xmodmap "$usermodmap"
fi
# load default stuff
if [ -d /etc/X11/xinit/xinitrc.d ] ; then
for f in /etc/X11/xinit/xinitrc.d/?*.sh ; do
[ -x "$f" ] && . "$f"
done
unset f
fi
# keyring-aware variables
eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
export SSH_AUTH_SOCK
# turn numlock on
numlockx &
# DPMS
xset s 1200 1200
xset dpms 1200 1200 1800
# start cinnamon
exec cinnamon-session
ssh-add -L lists all my active SSH keys (will not post here to save space, but if that matters I could post it later).
I have default keyring which has the same password as my account so it unlocks automatically if I log in on that computer locally on TTY1 (graphical login). I'm able to log in into services which requires passwords without being asked for passhrases if I've already added these passwords into default keyring (in my case it's password-protected SMB shares). The same is true for accessing SSH resources (however, not all of my keys are added to the default keyring so it asks me for passphrase for those servers, it's ok for me) - for example, GitHub.
When I log in via console to my account (graphical login on TTY1 or console login on TTY2-7) I can see that keyring daemon have started (it's true for my local user and root user too, so I believe that /etc/pam.d/login works right):
[12:50 viktor@desolve-lab ~]$ ps aux | grep keyring
viktor 870 0.0 0.0 314672 7752 ? Sl 12:46 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
PROBLEM
However, when I try to log in to that computer remotely (via SSH) or via console-only TTY (TTY2-7) then GNOME Keyring doesn't work at all. I'll explain. If I've connected remotely here is no entry in ps aux output for gnome-keyring-daemon for newly connected user. If I've logged in via console-only TTY (TTY2-7) I can see gnome-keyring-daemon in ps aux output.
Finally, when I try to connect to SSH server which passphrase is stored in default keyring (and shouldn't be asked so) then it still asks me for password and even after successful connection keeps asking every time when I want to connect again to it (main example is working with GitHub: I've added passphrase for my GitHub private key into default keyring and I'm able to work without any asking for passphrases if I logged in graphically on TTY1).
Can anyone point me where I'm wrong and how it can be fixed? Thank you!
Last edited by dviktor (2019-09-19 10:15:39)
Offline
I am not 100% sure, but I think you have to add these two lines to any service that uses PAM:
auth optional pam_gnome_keyring.so
session optional pam_gnome_keyring.so auto_start
At least this is true for other DMs. So I would try adding these lines to your /etc/pam.d/sshd
Edit: This answer is wrong, because SSH does not transfer the required credentials to the server if the user is not logged in via normal means. It does work out of the box if you have already an established session for the user. So please disregard the info above. Just leaving it here, because it still might be useful for people using another DM than gnome.
Last edited by Swiggles (2019-09-19 11:53:27)
Offline
Seems like I found the cause of the problem. Starting keyring daemon with PAM isn't enough, one should explicitly start its components and export SSH_AUTH_SOCK. As for current wiki instructions one should place these lines into ~/.xinitrc:
eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
export SSH_AUTH_SOCK
However, this will work only for graphical logins. Just for the test purposes I've logged in via console tty (in my case TTY2-7). Before execution of two aforementioned lines it asked me for passphrase every time I tried to access SSH server. However, after execution of these lines it didn't ask anything upon my request for SSH connection to GitHub.
Naive solution is to move these lines into ~/.bashrc, however I think this is bad practice, because every interactive BASH session will execute this. I don't know how to properly configure things to satisfy graphical, console and remote logins without breaking anything else.
EDIT
Nope, I'm wrong. For clean test I've rebooted and without logging in graphical tty tried to connect to GitHub after eval and export commands - I wasn't able to connect. After logging in DE connection to GitHub worked flawlessly, however when I tried to connect to SSH server passphrase for which file isn't stored in keyring then it asked me for password, but asked on my TTY1 in graphical DE instead of console TTY. So it seems like incorrect solution
Last edited by dviktor (2019-09-19 13:35:08)
Offline