Keychain, GNOME Keyring and ssh-agent interaction on Wayland
Published: 2020-07-12I let Gnome Keyring handle my SSH and GPG keys; so far this has worked just fine and it hasn't gotten in the way. However, recently I switched to Wayland and I noticed Keychain wasn't picking up the SSH agent anymore, so my scripts relying on the cached SSH keys just broke.
It appears there's something off about GNOME Keyring hijacking the SSH_AUTH_SOCK value when you use GNOME on Wayland. Gnome-shell will overwrite the SSH_AUTH_SOCK value and Keychain won't pick that up, spawing a new ssh-agent
instance, instead of inheriting the existing one. People have solved this by unsetting SSH_AUTH_SOCK, but for me, Gnome Keyring does its job, so that would just break things. Yet, because this makes keychain
break, every terminal window I'd open would prompt me for passphrases because it was unable to talk to the SSH agent Gnome Keyring managed. That gets annoying quickly. There are a few workarounds floating around, but some of them only work for Gnome 3.24 and older; and by now Debian Testing is at 3.36.
After a bit of fiddling I found out the SSH_AGENT_PID
value didn't get exported anymore either, so I solved that by doing that explicitly in $HOME/.bashrc
:
SSH_AGENT_PID="$(pgrep ssh-agent|head -1)" && export SSH_AGENT_PID
As for Keychain, I changed its call to just pick up the existing SSH agent (which has all the keys cached) and do nothing more, which is handled by this bit of code in $HOME/.bashrc
:
if [ -x /usr/bin/keychain ]; then
/usr/bin/keychain --quick --quiet --noask
fi
After that, it all works like before, and the env values are OK again.
$ env|grep SSH
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
SSH_AGENT_PID=2593