You are not logged in.
I am new to Arch Linux, and I am now learning about ssh keys and agents (https://wiki.archlinux.org/title/SSH_keys). My original goal was to clone and manage my private repos without having to enter my access tokens every time. I read the article, generated an SSH key pair, and updated the public key on GitHub. This worked, but it still required my passphrase for every git operation. The next step for me was to start using an ssh agent so I don't have to enter the passphrase every time. After reading the article I mentioned, I decided to go with `keychain` since it seems easy to use. I installed the package `sudo pacman -S keychain`. I am using fish as my default shell, so I added the following to my `config.fish`:
if status is-interactive
keychain --eval --quiet id_ed25519 | source
endSo when I log in and start a terminal, it asks me for my passphrase once and then I am able to manage my private repos without having to type the passphrase again. However, I don't like the fact that I have to open a terminal before it asks for the passphrase. I prefer to it on login. I thought that changing the code to run on a login shell would solve this:
if status is-login
keychain --eval --quiet id_ed25519 | source
endExcept, it did something much worse. When I logged into the display manager (sddm), the monitor went to stand by mode like it doesn't get any input from the desktop session. The only solution was to restart the computer, log in as root and revert the config. I can't understand why changing the config to run on login shell caused my screen to go black. If I understand correctly, a login shell starts when I log into the desktop, so it should have asked me for the passphrase and let me continue my work. When reading the article I mentioned (https://wiki.archlinux.org/title/SSH_keys#Tips), it said that I may need to add `--inherit any-once` on Wayland. I tried that, but the monitor went into standby again, forcing me to restart and log in as root to revert the settings. Another option I found is the `--noask` option which should prompt for the passphrase when I need it instead of immediately, which sounded like a good option too. I tried it, and this time I could log into my user. However, when I tried a command that needed the passphrase (like `git fetch` for a private repo), it prompted me to the passphrase, and if I try that again, it asks me for the passphrase again. So it asks me for the passphrase every time I need it, which defeats the purpose of `keychain`. Perhaps I need to do something else to make it ask for the passphrase once when I need it?
To summarize, the only option that works reliably right now is to run `keychain` on interactive shells, which prompts me to use the passphrase once when I start a shell, but I find it less convenient. Running `keychain` for login shells simply locks me out of my account, and using `--noask` still requires my passphrase everytime I need it instead of once.
Can someone explain what's wrong with my configuration and how I can make `keychain` ask for the passphrase once on login or when I first need it? Should keychain run for interactive shell or login shell, and how should I configure it properly? If you can suggest an easier workflow to manage the ssh agent, I am open to try it to.
Offline
Please edit/split your post so that there's only one (1) issue per post. The monitor "standby" problem is very different from your "keychain" issue.
As for your ssh problem: let's start at the beginning: first ask yourself if you *need* to protect your private keys with a passphrase? If you're comfortable with just keeping your private keys safe and out of reach of 3rd parties, then you do not need an SSH Agent at all.
Offline
I think the two problems are related to each other. The monitor goes into standby because `keychain` doesn't work properly. If I disable keychain, or use it for an interactive terminal instead of a login terminal, I can log into my account without any problem and the monitor works fine. Solving the `keychain` configuration would also solve the monitor "standby" problem.
My plan is to never let private keys leave my computer, so I suppose I could go with an unencrypted private keys. However, I still think I prefer to have this "last line of protection" in case someone gains access to my system. Having to type the passphrase once on login sounds to me like the best compromise between security and convinience.
Offline
OK, then please don't paraphrase what you've configured and post the *actual* configs you made in code tags. Your monitor not working because of a keychain config is bizarre, so we need to see the actual configuration.
Offline
I already posted it. The current working code in `config.fish` is to initialize `keychain` for interactive shells:
if status is-interactive
keychain --eval --quiet id_ed25519 | source
endHowever, looking at the man page of keychain, they recommended putting the initialization code in `.bash_profile`, which runs for login shells. So, I tried doing this in my `config.fish` by changing the above snippet to:
if status is-login
keychain --eval --quiet id_ed25519 | source
endDoing that started the problem: if I log into my user, the screen goes to standby, forcing me to log in as root instead to revert the settings.
Offline
Do you have the same problem when using Bash as your login shell and then following the instructions in the Wiki: https://wiki.archlinux.org/title/SSH_ke … stemd_user ?
Offline
Using the systemd service doesn't cause issues. The only issue is trying to start `keychain` for login shells.
Offline