11

I am in the process of getting rid of gnome-keyring as an SSH agent.

Things that I have done

  • Searched the internet for hours.
  • Changed stuff and restarted, often.
  • Finally just rm-ed all the autostart stuff related to SSH.

That last thing magically worked as there is no more the socket for the agent there:

/run/user/[uid]/keyring/ssh

Problem

The remaining problem is that in spite of my obtaining the wonderful aforementioned result, something in gnome-keyring still insists on setting SSH_AUTH_SOCK to the now non-existing socket above. It's like zombies, these things never die.

Question

What is setting that variable and where is it done?

Pitfalls

  • I am not asking how I can reset that variable to another value.
  • I am not asking how I can set that value system-wide or in a shell configuration file.
  • I am not asking for some init-script voodoo incantations to freeze, set, reset, unset or replace anything.
  • I am not asking for advice on how to uninstall the thing: I still need it for my passwords and it seems to be the most integrated and polished password manager in Gnome.

I want that thing disabled as it should be.

JohnW
  • 308
  • 2
  • 9

4 Answers4

10

Let me guess - you're using Wayland. I ran into this problem today and figured I'd share the solution.

Gnome-Session has a hardcoded override for SSH_AUTH_SOCK under wayland for some reason. See the following commit: https://github.com/GNOME/gnome-session/commit/a8896ccad65583885735a04205351f48a42f29ae

The workaround? Set an environment variable to disable this behavior: GSM_SKIP_SSH_AGENT_WORKAROUND=1. This short-circuits the environment setting code.

For people that find this that are also trying to configure ssh-agent: In my systemd unit file for ssh-agent, I have the following line:

ExecStartPost=/usr/bin/bash -c "/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=$SSH_AUTH_SOCK GSM_SKIP_SSH_AGENT_WORKAROUND=1"

The full file looks like this:

[Unit]
Description=SSH Agent
IgnoreOnIsolate=true

[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
ExecStartPost=/usr/bin/bash -c "/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=$SSH_AUTH_SOCK GSM_SKIP_SSH_AGENT_WORKAROUND=1"

[Install]
WantedBy=default.target
Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
ceezy
  • 111
  • 1
  • 3
  • Thanks! On Ubuntu v17.10 Artful Aardvark, simply adding `export GSM_SKIP_SSH_AGENT_WORKAROUND=1` to my ~/.profile and rebooting fixed my configuration that previously worked on v17.04. – Stephen Niedzielski Oct 30 '17 at 14:59
  • 1
    This seems to affect more than just Wayland, I've been running into this when trying to use gnome-flashback + i3. – dragon788 Nov 08 '17 at 04:35
  • Please note that that hack works until Gnome 3.24 or older (https://wiki.archlinux.org/index.php/GNOME/Keyring#Disable_keyring_daemon_components) – Pablo Olmos de Aguilera C. Sep 24 '18 at 01:03
  • I see `SSH_AUTH_SOCK=/run/user/[uid]/keyring/ssh` set with GNOME 3.34 (openSUSE Leap). – Martin Wilck Sep 17 '21 at 20:15
  • ... and that's *although* I set `GSM_SKIP_SSH_AGENT_WORKAROUND=1` in `~/.config/environment.d`. – Martin Wilck Sep 17 '21 at 20:21
  • There's more fun involved actually. By adding some debugging, I can see that the variable is set correctly in the first place (I want it to be `/run/user/$UID/gnupg/S.gpg-agent.ssh`), but changed later on. It's correctly set when `.profile` is processed, but no more in `.bashrc`. – Martin Wilck Sep 17 '21 at 20:45
  • My problem was that the [recipe](https://newbedev.com/how-to-disable-the-keyring-for-ssh-and-gpg) I'd followed to disable the service wasn't effective. So the service started and **updated** the environment in the `systemd-user` instance, **overriding** previously-set values. To really disable the service, I had to set the [Hidden attribute](https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html) on it. – Martin Wilck Sep 17 '21 at 21:15
  • ... in case anyone wonders, the best place for *setting* `SSH_AUTH_SOCK` is either `/etc/environment.d/50-ssh.conf` or `/etc/security/pam_env.conf`. Both allow referring to `${XDG_RUNTIME_DIR}`. – Martin Wilck Sep 17 '21 at 21:30
6

(OP's environment is not known, so the paths given here are those found on my Ubuntu machine)

Where does gnome-keyring set SSH_AUTH_SOCK?

To answer the main question in title, SSH_AUTH_SOCK is set by gnome-keyring in /usr/share/upstart/sessions/gnome-keyring-ssh.conf with the following command:

initctl set-env --global SSH_AUTH_SOCK=$SSH_AUTH_SOCK

Quoting the initctl manual:

initctl set-env VARIABLE[=VALUE]

Adds or updates a variable in a job environment table. Variables set in this way will apply to all the subsequently-starting processes for a job.

-g, --global

Operate on the global job environment table and all existing running job environment tables.

Where does SSH_AUTH_SOCK come from in the first place?

The initctl command above is conditioned to the fact that the environment variable SSH_AUTH_SOCK already exists. So, is it a chicken and egg situation? What sets it?

SSH_AUTH_SOCK is initially set by the original ssh-agent which is started at the very beginning of the X session. Quoting the manual:

A UNIX-domain socket is created and the name of this socket is stored in the SSH_AUTH_SOCK environment variable. The socket is made accessible only to the current user.

BUT, what the gnome-keyring's ssh component does is to substitute itself to the existing ssh-agent. Therefore it overwrites SSH_AUTH_SOCK with its own socket /run/user/.../keyring-.../ssh so that applications talk to it, and not to ssh-agent.

How to disable it

Now, let's answer the last sentence "I want that thing disabled". What the OP wants is to disable the overwriting of SSH_AUTH_SOCK by the ssh component in gnome-keyring. They want to get back the "true" SSH_AUTH_SOCK variable initially set by ssh-agent.

The ssh component is started by the same startup script mentioned above (/usr/share/upstart/sessions/gnome-keyring-ssh.conf) but at one condition: the string X-GNOME-Autostart-enabled=false must not be found in either of these files:

  • (system-wide conf) /etc/xdg/autostart/gnome-keyring-ssh.desktop
  • (user conf) ~/.config/autostart/gnome-keyring-ssh.desktop

Therefore, if you want to disable it, all you have to do is add a line X-GNOME-Autostart-enabled=false to one of these files, preferably the one in your HOME directory.

xhienne
  • 17,075
  • 2
  • 52
  • 68
  • I've tried disabling the autostart entries for Gnome keyring and it seems the variable is still there, but points to a non-existing socket (so disabling the keyring worked, but the variable is set somewhere else). I am running an Archlinux machine so there is no upstart and there's nothing obvious in systemd that would set the variable.. – André Borie Jan 18 '17 at 14:53
  • @AndréBorie I know neither Arch nor systemd. What is the new value of the socket path? On my macihne, ssh-agent typically sets it to `/tmp/ssh-XXX/agent.PID`. Is ssh-agent still in your process list? – xhienne Jan 18 '17 at 15:04
  • The path is just like in the original question. There are no SSH agents nor keyrings running. – André Borie Jan 18 '17 at 15:53
  • This answer is really old but I hope you can help me too https://unix.stackexchange.com/questions/422574/ssh-auth-sock-is-set-but-it-is-overwritten – Ojs Feb 07 '18 at 18:03
3

https://wiki.archlinux.org/index.php/GNOME/Keyring#Disable_keyring_daemon_components

If you wish to run an alternative SSH agent (e.g. ssh-agent or gpg-agent, you need to disable the ssh component of GNOME Keyring. To do so in an account-local way:

mkdir ~/.config/autostart
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/ &&
echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-ssh.desktop

Then log out.

Lightly editted, removing apparently useless use of printf

sourcejedi
  • 48,311
  • 17
  • 143
  • 296
0

As of Gnome 3.18, the socket appears to be stored in ~/.cache/keyring-(some random string)/ssh

At a guess, it's being set by gnome-keyring-daemon.

Adam Baxter
  • 153
  • 6