You are not logged in.
- Topics: Active | Unanswered
#1 2024-02-19 20:45:53
- Cbhihe
- Member
- Registered: 2017-04-09
- Posts: 230
[SOLVED] ssh-agent started as user service unable to read in ssh keys
Running kernel 6.7.5.arch1-1, OpenSSH 9.6p1-1, with up to date Gnome on Xorg.
I normally ssh into distant servers having configured an ssh-agent with ssh-keygen generated asymmetric keys, each pair with its pass-phrase.
This morning booting afresh and starting a new Gnome session, ssh-agent did not start automatically as usual, and ssh'ing into distant servers was back to the old username and passwd routine.
So I launched ssh-agent, eval "$(ssh-agent -s)", checked the configuration in ~/.ssh/config, added anew two keys to the agent's cache ssh-add ~/.ssh/{key1,key2}_id_rsa, listed them ssh-add -l and was asked for passphrases each time. I then verified that known_hosts was ok and that each asymmetric key's public keys were adequately saved in the distant servers.
With all the above, the environment variable SSH_AUTH_SOCK was correctly set again and ssh'ing started working as before.
Per Section 4.1 of the wiki, I also included "AddKeysToAgent yes" to ~/.ssh/config.
$ echo "AddKeysToAgent yes" >> ~/.ssh/config
$ cat ~/.ssh/config
Host HOST1 HOST1.blah.com
Hostname HOST1.blah.com
IdentityFile ~/.ssh/key1_id_rsa
User MYUSER
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
Host HOST2 HOST2.bluh.com
Hostname HOST2.bluh.com
IdentityFile ~/.ssh/key2_id_rsa
User MYUSER
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
AddKeysToAgent yes Rebooting wiped out all that... again, and again the ssh-agent did not start...
So I decided to start a systemd user service: "ssh-agent.service"
$ cat ~/.config/systemd/user/ssh-agent.service
[Unit]
Description=SSH key agent
[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK
[Install]
WantedBy=default.target
$ echo "SSH_AUTH_SOCK=\"${XDG_RUNTIME_DIR}/ssh-agent.socket\"" >| ~/.config/environment.d/ssh_auth_socket.conf
$ systemctl --user enable --now ssh-agent
$ sudo reboot nowAfter rebooting:
$ systemctl --user show-environment | grep SSH
SSH_AUTH_SOCK=/run/user/1000/ssh-agent.socket
$
$ systemctl --user status ssh-agent.service
● ssh-agent.service - SSH key agent
Loaded: loaded (/home/MYUSER/.config/systemd/user/ssh-agent.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-02-19 20:09:25 CET; 18min ago
Main PID: 7275 (ssh-agent)
Tasks: 1 (limit: 18786)
Memory: 924.0K (peak: 1.1M)
CPU: 16ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/ssh-agent.service
└─7275 /usr/bin/ssh-agent -D -a /run/user/1000/ssh-agent.socket
Feb 19 20:09:25 HOST systemd[1874]: Started SSH key agent.
Feb 19 20:09:25 HOST ssh-agent[7275]: SSH_AUTH_SOCK=/run/user/1000/ssh-agent.socket; export SSH_AUTH_SOCK;
Feb 19 20:09:25 HOST ssh-agent[7275]: echo Agent pid 7275;The agent appears to be running. However the ssh-agent's cache is still empty ( ssh-add -l yields nothing).
Following the Gnome Keyring wiki (section 5) I thought a competing ssh-agent might be interfering, e.g. gcr-ssh-agent but neither gcr-ssh-agent.socket nor gcr-ssh-agent.service seem to be enabled and started.
So at this point, I don't get why ssh-agent is not parsing keys and retaining them in cache across reboots. Any pointer welcome.
Last edited by Cbhihe (2024-02-22 11:24:44)
I like strawberries, therefore I'm not a bot.
Offline
#2 2024-02-19 21:11:01
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 23,430
Re: [SOLVED] ssh-agent started as user service unable to read in ssh keys
GNOME keyring integration got dropped for being deprecated https://bbs.archlinux.org/viewtopic.php?id=292953 you should be using the gcr services
Offline
#3 2024-02-19 22:20:01
- iPaq
- Member
- Registered: 2019-12-06
- Posts: 5
Re: [SOLVED] ssh-agent started as user service unable to read in ssh keys
This is an awful way to find out after troubleshooting this for half an hour this morning. Was there an announcement?
Offline
#4 2024-02-20 10:40:21
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 23,430
Re: [SOLVED] ssh-agent started as user service unable to read in ssh keys
Not in our channels, but upstream dropped it from being built by default and the package was not updated to potentially reintroduce it, the wiki was ammended relevantly: https://wiki.archlinux.org/title/GNOME/Keyring#SSH_keys
And if this isn't a functionality the packager uses themselves it might have simply slipped past.
Offline
#5 2024-02-20 18:19:59
- Cbhihe
- Member
- Registered: 2017-04-09
- Posts: 230
Re: [SOLVED] ssh-agent started as user service unable to read in ssh keys
This is an awful way to find out after troubleshooting this for half an hour this morning. Was there an announcement?
Others may have seen something on board, but not me, no heads-up whatsoever.
GNOME keyring integration got dropped for being deprecated https://bbs.archlinux.org/viewtopic.php?id=292953 you should be using the gcr services
Thanks @V1del for the confirmation.
To activate the Gnome challenge-response agent "gcr-ssh-agent, do I need to enable both units gcr-ssh-agent.socket and gcr-ssh-agent.service in Systemd ? I saw the ammended Wiki on the Gnome keyring as referenced in your reply. But is there a reference for that somewhere so I can read more and learn some?
Last edited by Cbhihe (2024-02-21 07:42:17)
I like strawberries, therefore I'm not a bot.
Offline
#6 2024-02-20 18:48:06
- Cbhihe
- Member
- Registered: 2017-04-09
- Posts: 230
Re: [SOLVED] ssh-agent started as user service unable to read in ssh keys
In the end, after not a few crazy hours yesterday, spent NOT figuring out this thing, finally saved by the link referenced by V1del above, the culprit is my 2024.02.18 update of gnome-keyring (1:42.1-3 -> 1:46.1-1). Also see this.
I reversed my setup of the user service ~/.config/systemd/user/ssh-agent.service like so:
$ systemctl --user disable ssh-agent.serviceFinally I enabled and activated the socket that correspond to gcr-ssh-agent, and re-define the $SSH_AUTH_SOCK environment variable:
$ systemctl --user enable --now gcr-ssh-agent.socket
$ echo "SSH_AUTH_SOCK=\${XDG_RUNTIME_DIR}/gcr/ssh" >| ~/.config/environment.d/ssh_auth_socket.confBut I am not quite sure harcoding SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gcr/ssh in that way is good practice.
I also did not want to add that env-var permanently to one of my shell dotfiles and some logic to skip that when it's either already set for another purpose.
In particular what happens when that path does not exist, i.e. in absence of a graphical session ? (e.g. SSH'ing to hosts without a GUI).
EDIT:
Escape the "$" sign as shown above, when echoing the "SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/..." env-var definition into ~/.config/environment.d/ssh_auth_socket.conf. This is necessary to prevent your shell from interpreting the string variable "${XDG_RUNTIME_DIR}" and from pushing the already interpreted value of the string in the ssh_auth_socket.conf file.
In addition to the above code block, execute the commands below, then reboot.
$ systemctl --user enable gnome-keyring-daemon.{service,socket}
$ systemctl --user start gnome-keyring-daemon.{service,socket}[SOLVED]
Last edited by Cbhihe (2024-02-23 10:59:29)
I like strawberries, therefore I'm not a bot.
Offline
#7 2024-03-01 21:28:28
- iPaq
- Member
- Registered: 2019-12-06
- Posts: 5
Re: [SOLVED] ssh-agent started as user service unable to read in ssh keys
It seems the only way to use this new thing is hardcoding variables in a few places. Not too happy about that.
~/.xsessionrc hasn't worked. Even your environment.d file there hasn't worked. Graphical packages which expect to make SSH connections became dead out of the water since this change (For me `virt-manager` and `nemo`) unless launched from a terminal, which is significantly slower and frustrating.
Last edited by iPaq (2024-03-01 21:34:13)
Offline