KDE graphical apps do not respect keyring / ssh-agent added via keychain (keychain works in shell correctly)

dusoft · March 29, 2025, 10:01am

I migrated to a new computers along with my SSH keys. I have installed keychain, set it up correctly to load the keys.

However, now graphical KDE apps ask for password (e.g. for Git) and do not respect keys added via keychain in shell / terminal.

I see this in terminal:

* keychain 2.8.5 ~ http://www.funtoo.org
* Found existing ssh-agent: 142966
* Known ssh key: /home/xxx/.ssh/id_rsa
* Known ssh key: /home/xxx/.ssh/github_rsa
* Known ssh key: /home/xxx/.ssh/id_rsa.work

However, that seems to be incorrect as two processes are running with different pids:

ps aux | grep ssh-agent
xxx      2307  0.0  0.0 162652  6964 ?        Ssl  mar26   0:00 /usr/libexec/gcr-ssh-agent --base-dir /run/user/1000/gcr
xxx    144071  0.0  0.0   8304  1468 ?        Ss   10:44   0:00 ssh-agent -s
xxx    144125  0.0  0.0   8436  3632 ?        Ss   10:44   0:00 ssh-agent
xxx    144626  0.0  0.0   9212  2140 pts/5    S+   10:49   0:00 grep --color=auto ssh-agent

I tried killing both, restarting etc., but graphical apps never accept keys added via keychain.

.bashrc contains:

keychain ~/.ssh/id_rsa ~/.ssh/github_rsa ~/.ssh/id_rsa.work

I also tried to configure SSH_AUTH_SOCK:

echo $SSH_AUTH_SOCK
/tmp/ssh-vt37l1auORoj/agent.144071

Again, this seems to be incorrect, there is not such a process anymore (after killed).

ls /tmp/ssh-*/agent.*
/tmp/ssh-SM7TDO6GPDMm/agent.144124  /tmp/ssh-vt37l1auORoj/agent.144070

(these also do not match pids currently running?!)

Everything run via terminal works without asking for a password.

What could be the issue?

pallaswept · March 29, 2025, 12:22pm

You seem to be running both the gnome ssh agent and at least one copy of KDE’s?

I start mine with a systemd service and there’s just the one:

> ps aux |rg ssh
pallasw+    6969  0.0  0.0   9072  6972 ?        Ss   19:51   0:00 /usr/bin/ssh-agent -D -a /run/user/1000/ssh-agent.socket
pallasw+   69420  0.0  0.0   8948  6480 pts/3    S+   23:18   0:00 rg --smart-case --no-ignore --hidden ssh

dusoft · March 29, 2025, 12:37pm

I can not remove gcr as it would break some of my apps that use gnome-keyring. I believe this is happening independently of that. I haven’t had that app (requiring gcr) installed before and still this was an issue.

Yeah, I can confirm. Killing gcr does not change anything. I have also tried to restart ssh-agent after killing gcr and nothing changes.

SSH_AUTH_SOCK points to non-existing ssh-agent pid.

ls /tmp/ssh-*/agent.*
/tmp/ssh-cxKJ50y1bONH/agent.152578  /tmp/ssh-SM7TDO6GPDMm/agent.144124  /tmp/ssh-vt37l1auORoj/agent.144070

$ ps aux|grep ssh
x    152579  0.0  0.0   8436  3620 ?        Ss   13:40   0:00 ssh-agent
x    152843  0.0  0.0   9212  2220 pts/5    S+   13:42   0:00 grep --color=auto ssh

These are pids that do not exist, there is no agent pid that actually is running.
Why is that?

pallaswept · March 29, 2025, 3:01pm

I have no idea how well it will work or not, to have gnome’s agent on KDE, let alone gnome’s agent and KDEs agent simultaneously on KDE.

I’ve seen it do this when it’s started improperly, and the first instance sets the socket path and then dies.

How are you starting it?

And what is the test that fails? (you mentioned that it works in the GUI, what is it that you do? ssh:// address in dolphin?)

dusoft · March 29, 2025, 3:36pm

It is started automatically on login via .bashrc same as it was on my previous computer.

I am testing via any graphical app such as Filezilla or Git Cola (git repos via SSH). None of these work seamlessly, but pop up a password input for each key.

krake · March 30, 2025, 10:27am

This could be a difference in environment.

I haven’t used Bash in ages but in ZSH the ..zshrc is only read by interactive shells, e.g. in a terminal.
It is not read by the login shell and thus environment set by it will not be part of what the Plasma session “sees”.

You could check by running env > /tmp/env.txt in KRunner (ALT+F2) and then looking at that file.

dusoft · March 30, 2025, 10:47am

I see these two lines containing ssh:

GSM_SKIP_SSH_AGENT_WORKAROUND=true
SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh

So this is incorrect, right?

pallaswept · March 30, 2025, 10:47am

Yeh that’s likely the problem. Unless you’ve got something very fancy there, and my powers of mental telepathy aren’t working.

As krake said, if you want Plasma to see it, you need to start it in a way that the var will be seen by Plasma. Putting it in bashrc means it’s only seen by that one shell. This is why you’re seeing multiple PIDs and multiple instances.

There are two commonly advised ways to do it. One is a systemd service, the other is a shell script in ~/.config/plasma-workspace/env directory. If you run a web search for ‘ssh-agent autostart KDE’, you’ll find examples.

dusoft · March 30, 2025, 11:29am

Sorry, I don’t see any good tutorials, only a bunch of forums with various results, mostly non-working or confused examples such as this:

This does not help.

I have created this file in ~/.config/plasma-workspace/env:

#!/bin/sh
keychain ~/.ssh/id_rsa ~/.ssh/github_rsa ~/.ssh/id_rsa.work

Will that work on SDDM/KDE login?

pallaswept · March 30, 2025, 12:06pm

Relatable, sorry. My search engine threw up an AI answer for me at the top, but I know there’s a lot about how this fails, out there.

It will work on KDE login but not SDDM - This is why I use a systemd service, but that being said, it’s harder and you probably don’t actually need that (turns out I don’t either) so I guess the env script is a good way to go.

When we say ‘it will work’ this command isn’t one I’m familiar with, I just start ssh-agent, so YMMV. I took a look at the manpage and I see that it doesn’t actually set the environment var, but rather, outputs a shell script to a known location, such that subsequent shells can source that script to set the var for themselves. That, ain’t gonna get the result you want.

It seems like if you wanted to use that app, you’d follow the manual:

keychain is a manager for ssh-agent, typically run from ~/.bash_profile.

Note (relevant to krake’s call above again) this is not .bashrc

When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It saves the ssh-agent environment variables to ~/.keychain/${HOSTNAME}-sh, so that subsequent logins and non-interactive shells such as cron jobs can source the file and make passwordless ssh connections.

Source that file from that kwin env script.

I think? Honestly I’ve never seen this app before. I’m pretty sure that would work. The second part I’m sure about because that’s exactly right according to the manual. The first part I’m not certain because I’m not sure that the bash_profile will execute, and run keychain and create the shell script, prior to kwin attempting to source it? Probably.

pallaswept · March 30, 2025, 12:20pm

Sorry, reading more, it seems like you could be using --eval with keychain, then it will output the commands to set the vars and you can run them with eval (this is more like how OG ssh-agent works). To steal an example from the Arch wiki you linked and meld it with the last command you showed:

eval $(keychain --eval --quiet ~/.ssh/id_rsa ~/.ssh/github_rsa ~/.ssh/id_rsa.work)

In the kwin env script, might do the trick.

dusoft · March 30, 2025, 6:08pm

Thanks, I’ll check this option.

dusoft · March 30, 2025, 9:00pm

So, no. Putting that line in ~/.config/plasma-workspace/env/ssh-keys.sh made KDE to stop booting and SDDM login would be shown after some time again. I had to delete that file.

I’ll have to leave keychain for shells and use something else for KDE.

jlittle · March 30, 2025, 10:16pm

in ~/.config/plasma-workspace/env:

A point of warning here. Scripts in there may be sourced by sh. On Ubuntu-derived, and I imagine debian-derived, systems this is dash; I don’t know what sh is on Manjaro. Any shebang is ignored, and if sh is not bash any bashisms cause the script to terminate silently.

dusoft · March 30, 2025, 10:42pm

I am on Neon, but I think it’s the same. Hopefully I’ll be able to find some solution to this as it is a bit annoying that KDE is unaware of ssh-agent running.

pallaswept · March 30, 2025, 11:34pm

That’s not necessary, and won’t really work very well. You just need to figure out how to start this application correctly. Just because this one first try wasn’t correct, doesn’t mean it’s time to give up.

Thanks @jlittle !!!

The $(...) is a bashism, so if you’re using some other shell, adjust accordingly. Eg something like:

eval `keychain --eval --quiet ~/.ssh/id_rsa ~/.ssh/github_rsa ~/.ssh/id_rsa.work)`

Try it in a normal terminal shell first and make sure it runs as expected.

jlittle · March 31, 2025, 4:42am

I thought $(…) was POSIX. dash does it fine, but maybe some distro’s sh don’t.

krake · March 31, 2025, 7:32am

Are you on a Wayland session?

Because I am on Neon as well but on X11 and here ssh-agent is started by the X session setup regardless of which desktop is being started and without any config of my own.

pallaswept · March 31, 2025, 8:10am

Yeh you’re right it is POSIX spec. Turns out they both are, now… I am just confused.

I happened to be learning the linux shell when BASH was the new hotness and frequently replacing Bourne sh and we had to learn three different ways to do it depending on which version of which shell it was. The whole experience just left me going 'idk I’ll just try the other one if one fails" I thought you were trying to politely tell me I’d screwed it up but I guess the original should work, too.

Based on what krake is saying though, it sounds like on Neon, ssh-agent is standard, so maybe trying to get keychain to work isn’t the best option.

dusoft · March 31, 2025, 8:26am

Yes, I am running Wayland.