Using ssh-agent & gpg-agent under Xfce4 utilizing gnome-keyring-daemon

Introduction & Motivation

My path to Xfce4

I was pretty happy with icewm, especially loving the alphabetical navigation in it's OS/2 style Strg-Esc window list. Sadly the order in which Alt-Tab showed windows started to be messed up. Had to give it up.

Then I was happy with KDE 3.x. Sadly they started KDE 4, making it unusable by trying to copy some things from Windows Vista and MacOS. Had to give it up.

Then I was satisfied by Gnome 2.x. Sadly they started Gnome 3, making it unusable by trying to copy some things from MacOS, Unity, Windows 7. Had to give it up.

Now I am ok using Xfce4.

Issue: poor ssh agent management

I like to enter the ssh key password exactly once right after logging in, and have it availabe in a ssh-agent in several auto-started terminal windows right away.

Sadly this seemed impossible.

After this drove me crazy for the 100th time I finally invested a whole sunday afternoon in research and came to what looks like a solution.

Agent starting variants

Old auto-started script approach: Load daemon in auto-started script. Sadly it is executed too late and/or too far down the process tree. Had to give it up.

Command line login approach, startx: When starting X11 using startx instead of a display manager .xinitrc is are called early enough. I like the graphical login though. Didn't really try it this time.

Gnome approach: Use gnome-keyring-daemon.activating 

My solution

Choose ssh-askpass variant

There are several ssh-askpass programs allowing to enter the ssh key password in a nice window. I like ssh-askpass-gnome.

To make sure the preferred one is used, make sure only one ssh-askpass* package installed.

Prepare script forcing early ssh-add

I have a kind-of autostart script that performs a few initial commands that don't go well into window manager settings.

To trigger the graphical query for the ssh key password, it simply contains a dummy ssh command:

# ...
# ssh-agent is already present, we need to trigger a ssh-add that really feeds the ssh-agent
ssh $USER@localhost pwd
# further commands can rely on loaded ssh keys
# ...

If you create a new autostart script, do not forget to chmod u+x it.

Activate autostart script and gnome-keyring-daemon

Start xfce4-session-settings.

In the "Application Autostart" tab, add your autostart script. Do NOT use a short form like ~/, instead specify the full path, like /home/jdoe/

In the last tab, "Advanced", activate "Launch GNOME services on startup".


Try it by logging out and in again.

Obligatory further reading: Evil Traps in ssh-add behaviour

gnome-keyring-daemon makes ssh-add behave weird

When using gnome-keyring-daemon, it acts ssh- and gpg-agent, but it behaves quite differently in a nerve breaking manner, making ssh-add look broken:

  • ssh-add -l used towards gnome-keyring-daemon always shows all ssh-keys known (!) to the gnome keyring, NOT only the ones that are decrypted in-memory!
  • ssh-add -d or ssh-add -D seems (!) to have no effect

The only way to make sure whether the gnome-keyring-daemon-acting-as-ssh-agent helds an encrypted or decrypted version of a particular ssh key is to try using the key, i.e. to execute a ssh based command like ssh, scp, svn (towards a svn+ssh repo), ...