Gdm , gnome-keyring and gcr ssh agent service

With gnome-keyring version 42.1, is one supposed to use gcr4?

I have ssh keys for accessing remote servers.
I understand both the gnome-keyring and the ssh-agent process need to be running, at which point the persisted keys are loaded automatically into the agent with the need to enter the key’s passphrase.

The confusion is: should /usr/bin/ssh-agent be running or /usr/lib/gcr-ssh-agent ?

@ueno perhaps you can help?

If you choose to use gcr-ssh-agent, /usr/bin/ssh-agent will be launched by gcr-ssh-agent (i.e., in a similar way gnome-keyring-daemon spawns /usr/bin/ssh-agent). On the timing of key loading, gcr-ssh-agent wraps ssh-agent protocol: when it receives the SSH_AGENTC_REQUEST_IDENTITIES request, returns all known public keys in ~/.ssh/*, and when it receives the SSH_AGENTC_SIGN_REQUEST request, it retrieves the password of the key from gnome-keyring-daemon and pass it to /usr/bin/ssh-agent through the gcr-ssh-askpass helper program.

thanks @ueno , in gitlab issues I read someone write that Fedora F39 have not built gnome-keyring with support for GCR yet. Do you know if that is correct?
I do see the rpms for gcr4 installed though…
How can I confirm if that is true?

I’m not sure which issue you are talking about, but to sum up:

  • Both gnome-keyring and gcr4 provide the identical functionality wrt ssh-agent
  • To use gcr-ssh-agent, one would need to disable gnome-keyring’s ssh-agent support, which we haven’t done yet (see this and that)
  • One would also need to start gcr-ssh-agent with systemd and propagate necessary environment variable; this needs to be coordinated at distribution level (for GNOME OS, check this)

To check which implementation you are using, try:

$ echo $SSH_AUTH_SOCK

If it shows something like /run/user/1000/keyring/ssh you are using ssh-agent support from gnome-keyring; if you see /run/usr/1000/gcr/ssh you are using gcr-ssh-agent.

Thanks @ueno . Ok in a world without gcr yet, we have this in F39:

in top, I see that

systemd --system

is the one that spaws gnome-keyring-daemon with the arguments

–daemonize --login

I’m a little confused. I see:

./user/gnome-keyring-daemon.service
./user/gnome-keyring-daemon.socket

under /lib/systemd.

./user/gnome-keyring-daemon.service contains

ExecStart=/usr/bin/gnome-keyring-daemon --foreground --components=“pkcs11,secrets” --control-directory=%t/keyring

This doesn’t match the arguments how gnome-keyring-daemon is running.
There’s no other occurence of gnome-keyring inside /lib/systemd

Also, I don’t understand this 2 steps mechanism. The manpage says that gnome-keyring-daemon will read the password from stdin (but presumably gdm UI) but not complete initialization. That happens with gnome-keyring-daemon gets called with --start later.
I don’t see that 2nd invocation, is it ephemeral, does gdm do it?

The --components arguments is absent. That means that all 3 of ssh , secrets and pkcs11 are used?

I’ve noticed a situation where the unix socket open by gnome-keyring-daemon is

/run/user/1000/keyring/ssh

while the child process ssh-agent used this

/run/user/1000/keyring/.ssh

2 different unix sockets, is that normal?

I suppose in a working state , I expect this:

gnome-keyring-daemon running (so it knows about the ssh keys) and the ssh-agent as well.
if I run ssh to the server, it shouldn’t ask me for the passphrase to the private key

I guess your instance of gnome-keyring-daemon is launched by pam_gnome_keyring.so.

This is normal. ssh is used by ssh to communicate with gnome-keyring’s ssh-agent, while .ssh is used by gnome-keyring-daemon itself to communicate with gcr-ssh-askpass.