Keychain, GNOME Keyring and ssh-agent interaction on WaylandPublished: 2020-07-12
I let Gnome Keyring handle my SSH and GPG keys; so far this has worked just fine and it hasn't gotten in the way. However, recently I switched to Wayland and I noticed Keychain wasn't picking up the SSH agent anymore, so my scripts relying on the cached SSH keys just broke.
It appears there's something off about GNOME Keyring hijacking the SSH_AUTH_SOCK value when you use GNOME on Wayland. Gnome-shell will overwrite the SSH_AUTH_SOCK value and Keychain won't pick that up, spawing a new
ssh-agent instance, instead of inheriting the existing one. People have solved this by unsetting SSH_AUTH_SOCK, but for me, Gnome Keyring does its job, so that would just break things. Yet, because this makes
keychain break, every terminal window I'd open would prompt me for passphrases because it was unable to talk to the SSH agent Gnome Keyring managed. That gets annoying quickly. There are a few workarounds floating around, but some of them only work for Gnome 3.24 and older; and by now Debian Testing is at 3.36.
After a bit of fiddling I found out the
SSH_AGENT_PID value didn't get exported anymore either, so I solved that by doing that explicitly in
SSH_AGENT_PID="$(pgrep ssh-agent|head -1)" && export SSH_AGENT_PID
As for Keychain, I changed its call to just pick up the existing SSH agent (which has all the keys cached) and do nothing more, which is handled by this bit of code in
if [ -x /usr/bin/keychain ]; then /usr/bin/keychain --quick --quiet --noask fi
After that, it all works like before, and the env values are OK again.
$ env|grep SSH SSH_AUTH_SOCK=/run/user/1000/keyring/ssh SSH_AGENT_PID=2593