Tip: Setting up ssh-agent with OpenBox

dugan · 05-30-2019, 11:08 PM

I hope I'm not the only person who took forever to figure out how to properly set up ssh-agent with OpenBox.

In ~/.config/openbox/environment

Code:

eval $(ssh-agent)
export SSH_ASKPASS=/usr/bin/lxqt-openssh-askpass

I'm using Slackware with LXQt installed, so I have lxqt-openssh-askpass available. An alternative, I hear, is openssh-askpass.

Then you modify your logout action, which by default, is in menu.xml and looks like this:

Code:

<item label="Log Out">
  <action name="Exit">
    <prompt>yes</prompt>
  </action>
</item>

You change that to:

Code:

<item label="Log Out">
  <action name="Execute">
    <execute>ssh-agent -k</execute>
  </action>

  <action name="Exit">
    <prompt>no</prompt>
  </action>
 </item>

With that setup, you have one ssh-agent instance for each X session, which is what you want.

Add the following to ~/.ssh/config:

Code:

AddKeysToAgent yes

You'll be asked to enter your SSH key's password only once per login.

And if you're wondering what I'm even on about: Funtoo's OpenSSH Key Management articles (which introduce their Keychain ssh-agent wrapper) is a good overview:

https://www.funtoo.org/Keychain

dugan · 06-02-2019, 11:08 AM

Just putting this into ~/.config/openbox/environment also works:

Code:

pkill ssh-agent
eval $(ssh-agent)
export SSH_ASKPASS=/usr/bin/lxqt-openssh-askpass

If you're using sddm, you can also put it in ~/.xprofile (among other places).

dugan · 06-09-2019, 10:35 AM

And this in (~/.config/openbox/environment) works for gnome-keyring, which persists SSH keys across login sessions:

Code:

eval $(gnome-keyring-daemon --start)
export SSH_AUTH_SOCK
export SSH_ASKPASS=/usr/lib64/seahorse/seahorse-ssh-askpass

EDIT: This is if you want to use gnome-keyring instead of ssh-agent.

greencedar · 06-10-2019, 07:33 PM

Thank you for your link to the information about Keychain.

Quote:

Keychain helps you to manage SSH and GPG keys in a convenient and secure manner. It acts as a frontend to ssh-agent and ssh-add, but allows you to easily have one long running ssh-agent process per system, rather than the norm of one ssh-agent per login session.

The article helped my understanding.

dugan · 08-27-2019, 10:18 PM

For my new Manjaro i3 install, I decided to go with something similar, only using the GNOME Keyring, Seahorse and libsecret system. The only part that wasn't part of the default install is Seahorse, and that had only two dependencies.

In ~/.xprofile I put:

Code:

eval $(gnome-keyring-daemon --daemonize --start)
export SSH_AUTH_SOCK
export SSH_ASKPASS=/usr/lib/seahorse/ssh-askpass

In ~/.ssh/config:

Code:

AddKeysToAgent yes

And for git:

Code:

cd /usr/share/git/credential/libsecret
sudo make
git config --global credential.helper /usr/share/git/credential/libsecret/git-credential-libsecret

(Look, I know that I can get better integration than that, since this distro has PAM, but I'm coming from Slackware and this is good enough).

dugan · 10-20-2019, 07:57 PM

Just worked a bit more on my Manjaro i3 setup, and I think I finally got it.

First, when I install I do not check "Log in automatically without asking for the password."

Apparently, you cannot get an automatically unlocked keyring if you're using auto-logins with lightdm:

FS#55950 - [lightdm] [gnome-keyring] Keyring not unlocked on initial autologin - works on subsequent sessions

There's advice out there to just set "Login" keyring's password to a blank one, if you want both auto-login and auto-unlock, but I couldn't get that to work. AFAICT, the information above is currently valid.

Install Seahorse and check the "Login" keyring. It should be unlocked.

If it somehow isn't being unlocked when you log in, then make sure the "Login" keyring has the same password as your login password.

In ~/.xprofile, put:

Code:

export SSH_ASKPASS=/usr/lib/seahorse/ssh-askpass
eval $(gnome-keyring-daemon --start)
export SSH_AUTH_SOCK

In ~/.ssh/config, put:

Code:

AddKeysToAgent yes

I set git up with the libsecret credential helper:

Code:

git config --global credential.helper /usr/lib/git-core/git-credential-libsecret

The other stuff, like PAM modules, are set up correctly out of the box, and do not need to be messed with.