could this be the behavior for the default ssh key out of the box? in kde it would need a desktop file and env set: https://wiki.archlinux.org/title/KDE_Wallet#Using_the_KDE_Wallet_to_store_ssh_key_passphrases it could be extended to load all known keys as well.
+1
We're going to try to get this in place for F40, but also we want to make sure KWallet is a secrets service provider, so that we can stop shipping gnome-keyring...
Metadata Update from @ngompa: - Issue assigned to aleasto - Issue set to the milestone: Fedora Linux 40
Arch Wiki documentation on this: https://wiki.archlinux.org/title/KDE_Wallet
I don't know what sets it but SSH_ASKPASS is already /usr/bin/ksshaskpass
SSH_ASKPASS
/usr/bin/ksshaskpass
This is a bit weird imo because when you create a new ssh key it won't be added to kwallet until you logout and re-login
secrets API was tracked here: https://pagure.io/fedora-kde/SIG/issue/340
and it's still blocked on https://bugs.kde.org/show_bug.cgi?id=466197 for flatpaks
secrets API was tracked here: https://pagure.io/fedora-kde/SIG/issue/340 and it's still blocked on https://bugs.kde.org/show_bug.cgi?id=466197 for flatpaks
hey @aleasto it looks like https://bugs.kde.org/show_bug.cgi?id=466197 was fixed. what does that mean for https://pagure.io/fedora-kde/SIG/issue/340 ?
Metadata Update from @timaeos: - Issue set to the milestone: Fedora Linux 41 (was: Fedora Linux 40)
It sounds like there might need to be some testing required here before release to close this out. We were able to confirm on #340 that kwallet is working with the Secrets api now.
kwallet
@kinghat do you mind testing this on a vm with the latest updates to see if ksshaskpass can unlock automatically if the login passwords match and Remember password has been checked when using ssh the first time?
ksshaskpass
Remember password
ssh
in a fresh updated vm i created an ed25519 key with password, inserted that pub key to a separate machines authorized keys file, and tried to connect via user@ip of the separate machine. i was only able to get it to ask me for the keys password in the terminal and not via prompt with a "remember password" option.
tangential:
if the login passwords match
do the passwords really need to match if its going to remember the password for you? it would just auto unlock via kwallet with the keys different but saved password.
Sorry, I didn't mean the SSH password. I meant the kwallet password. From arch wiki:
The chosen KWallet password must be the same as the current user password. An alternative is to use KWalletManager and set an empty Kwallet-password, thus preventing the need of entering a password to unlock a wallet.
I'll see what it looks like in my VM to confirm as well
Alright so in the brand new VM, SSH_ASKPASS is set to gnome_ssh_askpass and SSH_ASKPASS_REQUIRE is blank
gnome_ssh_askpass
SSH_ASKPASS_REQUIRE
SSH_ASKPASS is set via /etc/profile.d/gnome-ssh-askpass.sh so it seems like something that would need to be removed and replaced with an equivalent script for ksshaskpass that exports both SSH_ASKPASS and SSH_ASKPASS_REQUIRE
/etc/profile.d/gnome-ssh-askpass.sh
Does anyone know if there is a repo that generates what's in the profile.d folder? cc: @aleasto
profile.d
So it appears that /etc/profile.d/gnome-ssh-askpass.sh is provided by the package openssh-askpass
openssh-askpass
It sounds like a new package needs to be created. lxqt has a package called lxqt-openssh-askpass that kde could mimic but the sig would need someone to own that package
lxqt
lxqt-openssh-askpass
Getting this in for F41 is cutting it really close but is technically still possible.
We can put it in kde-settings for now.
kde-settings
Alright, I'll attempt it on kde-settings I don't have it exporting SSH_ASKPASS_REQUIRE here because the reference scripts didn't.
https://pagure.io/fedora-kde/kde-settings/pull-request/19#
We'll also have to make sure that ksshaskpass is in the comps groups / in Kinoite as well.
https://pagure.io/fedora-comps/blob/7155a848970fba2b0d482d9ac8708cc8a05ddf6e/f/comps-f41.xml.in#_3034
It's in comps for F41 though I'm not sure about Kinoite
Log in to comment on this ticket.