#246 Unlock ssh key on login by default
Opened 2 years ago by kinghat. Modified 2 months ago

could this be the behavior for the default ssh key out of the box? in kde it would need a desktop file and env set: https://wiki.archlinux.org/title/KDE_Wallet#Using_the_KDE_Wallet_to_store_ssh_key_passphrases it could be extended to load all known keys as well.


We're going to try to get this in place for F40, but also we want to make sure KWallet is a secrets service provider, so that we can stop shipping gnome-keyring...

Metadata Update from @ngompa:
- Issue assigned to aleasto
- Issue set to the milestone: Fedora Linux 40

8 months ago

I don't know what sets it but SSH_ASKPASS is already /usr/bin/ksshaskpass

This is a bit weird imo because when you create a new ssh key it won't be added to kwallet until you logout and re-login

Metadata Update from @timaeos:
- Issue set to the milestone: Fedora Linux 41 (was: Fedora Linux 40)

3 months ago

It sounds like there might need to be some testing required here before release to close this out. We were able to confirm on #340 that kwallet is working with the Secrets api now.

@kinghat do you mind testing this on a vm with the latest updates to see if ksshaskpass can unlock automatically if the login passwords match and Remember password has been checked when using ssh the first time?

@kinghat do you mind testing this on a vm with the latest updates to see if ksshaskpass can unlock automatically if the login passwords match and Remember password has been checked when using ssh the first time?

in a fresh updated vm i created an ed25519 key with password, inserted that pub key to a separate machines authorized keys file, and tried to connect via user@ip of the separate machine. i was only able to get it to ask me for the keys password in the terminal and not via prompt with a "remember password" option.

tangential:

if the login passwords match

do the passwords really need to match if its going to remember the password for you? it would just auto unlock via kwallet with the keys different but saved password.

Sorry, I didn't mean the SSH password. I meant the kwallet password. From arch wiki:

The chosen KWallet password must be the same as the current user password.
An alternative is to use KWalletManager and set an empty Kwallet-password, thus preventing the need of entering a password to unlock a wallet.

I'll see what it looks like in my VM to confirm as well

Alright so in the brand new VM, SSH_ASKPASS is set to gnome_ssh_askpass and SSH_ASKPASS_REQUIRE is blank

SSH_ASKPASS is set via /etc/profile.d/gnome-ssh-askpass.sh so it seems like something that would need to be removed and replaced with an equivalent script for ksshaskpass that exports both SSH_ASKPASS and SSH_ASKPASS_REQUIRE

Does anyone know if there is a repo that generates what's in the profile.d folder? cc: @aleasto

So it appears that /etc/profile.d/gnome-ssh-askpass.sh is provided by the package openssh-askpass

It sounds like a new package needs to be created. lxqt has a package called lxqt-openssh-askpass that kde could mimic but the sig would need someone to own that package

Getting this in for F41 is cutting it really close but is technically still possible.

We can put it in kde-settings for now.

Alright, I'll attempt it on kde-settings
I don't have it exporting SSH_ASKPASS_REQUIRE here because the reference scripts didn't.

https://pagure.io/fedora-kde/kde-settings/pull-request/19#

We'll also have to make sure that ksshaskpass is in the comps groups / in Kinoite as well.

We'll also have to make sure that ksshaskpass is in the comps groups / in Kinoite as well.

https://pagure.io/fedora-comps/blob/7155a848970fba2b0d482d9ac8708cc8a05ddf6e/f/comps-f41.xml.in#_3034

It's in comps for F41 though I'm not sure about Kinoite

Log in to comment on this ticket.

Metadata