Well, after searching and asking and digging around in the code I have finally got things working as I believe they should work.
That is I have a default keyring being automatically opened for me when I log in. It took me a while because firstly there isn't much documentation telling you how you're supposed to use it and secondly because (in xubuntu 9.10 at least) it's broken so it doesn't work even if you do things right.
There are two problems:-
1 - By default ssh-agent gets started as well as gnome-keyring-daemon, as they're both trying to do the same thing this isn't a good idea. I've stopped ssh-agent being started automatically by deleting the use-ssh-agent line from /etc/X11/Xsession.options. I'm sure there should be a GUI way of changing this but I don't know what it is.
2 - Although gnome-keyring-daemon is started automatically it isn't set up to listen on the ssh socket. To fix this I have added the following to my .xprofile:-
eval $(gnome-keyring-daemon --start) export SSH_AUTH_SOCK export GNOME_KEYRING_SOCKET
This second is definitely a bodge but at least it gets things working, there are several bugs reported around this area in more than one linux distribution - in fact that's how I eventually found out how to sort it out.
So, now my login password is *also* used to unlock the default keyring and ssh can interrogate that keyring to get my private key to log in to other systems. .... and it really is just about passwordless, or at least I don't have to enter any more passwords after login, but my private keys are kept reasonably safe.
I suppose having my login password the same as my key passphrase is a bit less than perfect but this is only for connections going outwards from my home system so isn't very critical really.
Now I'm off to those external systems to make them a bit more secure as regards logging into the home system. It's a pity there aren't any 'hooks' in ssh-agent and login that would allow you to do the same for direct ssh logins as happens with Gnome/KDE, then you could do the same sort of thing and enter only one password for connecting onwards.
oops ... cant use email though :)
From: keith To: cl@isbd.net Subject: RE: [ALUG] Some success with seahorse and gnome-keyring-daemon at last Date: Sun, 20 Dec 2009 09:41:32 +0000
Date: Fri, 18 Dec 2009 17:41:06 +0000 From: cl@isbd.net To: main@lists.alug.org.uk Subject: [ALUG] Some success with seahorse and gnome-keyring-daemon at last
Now I'm off to those external systems to make them a bit more secure as regards logging into the home system. It's a pity there aren't any 'hooks' in ssh-agent and login that would allow you to do the same for direct ssh logins as happens with Gnome/KDE, then you could do the same sort of thing and enter only one password for connecting onwards.
Or do you mean passwordless SSH logins? Yes you can. One method is here... http://www.linuxconfig.org/Passwordless_ssh .. but you needto make sure ssh-agent is running to add the keys to the remote system.
Keith Hotmail: Trusted email with powerful SPAM protection. Sign up now. _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/177141665/direct/01/
keithjamieson@hotmail.co.uk wrote:
oops ... cant use email though :)
Oops! Nor can I!
Keep forgetting to change the address Thunderguts sends items to when replying to lists...
My first went straight to source...
On Sun, Dec 20, 2009 at 09:42:30AM +0000, keithjamieson@hotmail.co.uk wrote:
oops ... cant use email though :)
----------------------------------------------------------------------From: keith To: cl@isbd.net Subject: RE: [ALUG] Some success with seahorse and gnome-keyring-daemon at last Date: Sun, 20 Dec 2009 09:41:32 +0000
Date: Fri, 18 Dec 2009 17:41:06 +0000 From: cl@isbd.net To: main@lists.alug.org.uk Subject: [ALUG] Some success with seahorse and gnome-keyring-daemon at
last
Now I'm off to those external systems to make them a bit more secure as regards logging into the home system. It's a pity there aren't any 'hooks' in ssh-agent and login that would allow you to do the same for direct ssh logins as happens with Gnome/KDE, then you could do the same sort of thing and enter only one password for connecting onwards.
Or do you mean passwordless SSH logins? Yes you can. One method is here... http://www.linuxconfig.org/Passwordless_ssh .. but you needto make sure ssh-agent is running to add the keys to the remote system.
As I keep saying (to myself apparently) ssh-agent *doesn't* provide passwordless (as in no user interaction) logins. It just allows you to enter a passphrase once per session. It is entirely useless for unattended backups etc. (unless you leave yourself logged into a system permanently which rather makes the whole idea pointless).
Date: Mon, 28 Dec 2009 17:18:21 +0000 From: cl@isbd.net To: main@lists.alug.org.uk Subject: Re: [ALUG] FW: Some success with seahorse and gnome-keyring-daemon at last
On Sun, Dec 20, 2009 at 09:42:30AM +0000, keithjamieson@hotmail.co.uk wrote:
oops ... cant use email though :)
----------------------------------------------------------------------From: keith To: cl@isbd.net Subject: RE: [ALUG] Some success with seahorse and gnome-keyring-daemon at last Date: Sun, 20 Dec 2009 09:41:32 +0000
Date: Fri, 18 Dec 2009 17:41:06 +0000 From: cl@isbd.net To: main@lists.alug.org.uk Subject: [ALUG] Some success with seahorse and gnome-keyring-daemon at
last
Now I'm off to those external systems to make them a bit more secure as regards logging into the home system. It's a pity there aren't any 'hooks' in ssh-agent and login that would allow you to do the same for direct ssh logins as happens with Gnome/KDE, then you could do the same sort of thing and enter only one password for connecting onwards.
Or do you mean passwordless SSH logins? Yes you can. One method is here... http://www.linuxconfig.org/Passwordless_ssh .. but you needto make sure ssh-agent is running to add the keys to the remote system.
As I keep saying (to myself apparently) ssh-agent *doesn't* provide passwordless (as in no user interaction) logins. It just allows you to enter a passphrase once per session. It is entirely useless for unattended backups etc. (unless you leave yourself logged into a system permanently which rather makes the whole idea pointless).
I'll have to tell my systems at work that they should not work then! Sorry Chris but they seem to have been working for years, maybe its 'cos I used the same login password as the passphrase??? Maybe 'cos it Solaris. Maybe 'cos I read the instructions. Maybe 'cos I sacrifice goats to the full moon.
Please stop telling people it cannot be done, just because *you* have not done it. I can agree to disagree, but some people take the info from these lists as gospel.
Keith _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/171222985/direct/01/
On Wed, Dec 30, 2009 at 08:07:07AM +0000, keithjamieson@hotmail.co.uk wrote:
Date: Mon, 28 Dec 2009 17:18:21 +0000 From: cl@isbd.net To: main@lists.alug.org.uk Subject: Re: [ALUG] FW: Some success with seahorse and
gnome-keyring-daemon at last
On Sun, Dec 20, 2009 at 09:42:30AM +0000, keithjamieson@hotmail.co.uk
wrote:
oops ... cant use email though :)
From: keith To: cl@isbd.net Subject: RE: [ALUG] Some success with seahorse and
gnome-keyring-daemon at
last Date: Sun, 20 Dec 2009 09:41:32 +0000
Date: Fri, 18 Dec 2009 17:41:06 +0000 From: cl@isbd.net To: main@lists.alug.org.uk Subject: [ALUG] Some success with seahorse and gnome-keyring-daemon
at
last
Now I'm off to those external systems to make them a bit more secure as regards logging into the home system. It's a pity there aren't
any
'hooks' in ssh-agent and login that would allow you to do the same
for
direct ssh logins as happens with Gnome/KDE, then you could do the same sort of thing and enter only one password for connecting
onwards.
Or do you mean passwordless SSH logins? Yes you can. One method is
here...
http://www.linuxconfig.org/Passwordless_ssh .. but you needto make sure ssh-agent is running to add the keys to
the
remote system.
As I keep saying (to myself apparently) ssh-agent *doesn't* provide passwordless (as in no user interaction) logins. It just allows you to enter a passphrase once per session. It is entirely useless for unattended backups etc. (unless you leave yourself logged into a system permanently which rather makes the whole idea pointless).
I'll have to tell my systems at work that they should not work then! Sorry Chris but they seem to have been working for years, maybe its 'cos I used the same login password as the passphrase??? Maybe 'cos it Solaris. Maybe 'cos I read the instructions. Maybe 'cos I sacrifice goats to the full moon.
Yes, it works when you're there and logged into the system because you've provided ssh-agent (or gnome-keyring-daemon) with the key phrase.
For unattended operation, as I keep saying, that's useless because you're not there and logged into the system.
Please stop telling people it cannot be done, just because *you* have not done it. I can agree to disagree, but some people take the info from these lists as gospel.
I suspect the problem is that you haven't realised what I mean by *unattended* operation. I want the backup to run at two in the morning (or whatever) when there's no one logged into the system and thus there's no way that ssh-agent (or anything similar) can have that passphrase.
Chris G wrote:
Yes, it works when you're there and logged into the system because you've provided ssh-agent (or gnome-keyring-daemon) with the key phrase.
It works for me when I'm not there and logged in, as long as the ssh key was created without a key phrase. I'm not sure whether the gnome tools could create keyphraseless keys last time I tried, which was rather irritating.
Regards,
-
Anthony Anson -
Chris G -
keithjamieson@hotmail.co.uk -
MJ Ray