Recently installing Ubuntu on a new machine for the first time in a while, I was reminded of some obnoxious and potentially dangerous behavior regarding SSH agent (as articulated by my friend dkg a few years ago). In particular, Gnome Keyring is started by default, has some behavior that I don’t like, and is difficult to disable in favor of the SSH agent provided by Open SSH that I prefer. The Gnome Keyring behavior I don’t like is:

  • It loads all keys in ~/.ssh automatically at startup
  • You cannot remove these keys, even with ssh-add -D, and…
  • The agent does not respect certain important constraints on added keys, such as the -c option, to be sure I have to confirm the use of loaded keys
arh1@wizzo:~$ ssh-add -l
2048 85:2f:aa:53:6d:f4:8b:9e:91:61:21:f3:84:23:79:7f arh1@test (RSA)
2048 54:34:19:d2:a8:57:de:fe:03:4f:68:c7:5a:b9:ea:1f arh1@wizzo (RSA)
arh1@wizzo:~$ ssh-add -c
Enter passphrase for /home/arh1/.ssh/id_rsa: 
Identity added: /home/arh1/.ssh/id_rsa (/home/arh1/.ssh/id_rsa)
The user must confirm each use of the key # NOTE: This constraint is NOT respected
arh1@wizzo:~$ ssh-add -D
All identities removed.
arh1@wizzo:~$ ssh-add -l
2048 85:2f:aa:53:6d:f4:8b:9e:91:61:21:f3:84:23:79:7f arh1@test (RSA)
2048 54:34:19:d2:a8:57:de:fe:03:4f:68:c7:5a:b9:ea:1f arh1@wizzo (RSA)
arh1@wizzo:~$

For these reasons, I would much rather use Open SSH’s implementation of ssh-agent, but keeping Gnome Keyring from clobbering it took a little digging. Per Gnome’s documentation, I can disable its SSH Agent to use the one I prefer. Simply keeping the Gnome Keyring SSH Agent daemon from starting automatically with Unity does the trick, but as of Ubuntu 12.04 (Precise Pangolin), many startup applications are hidden from the Startup Applications manager by default.

To “unhide” the Gnome Keyring SSH Agent daemon, I changed NoDisplay=true to NoDisplay=false in Gnome Keyring’s SSH Agent X desktop configuration file:

arh1@wizzo:~$ sudo vim /etc/xdg/autostart/gnome-keyring-ssh.desktop 
[sudo] password for arh1: 
arh1@wizzo:~$

At that point, “SSH Key Agent - GNOME Keyring: SSH Agent” appeared in the Startup Applications manager.

From there, I could uncheck the GNOME Keyring in the Startup Applications managaer, restart my Unity session, and I was back to my trusty Open SSH ssh-agent:

arh1@wizzo:~$ ssh-add -l
The agent has no identities.
arh1@wizzo:~$ ssh-add -c
Enter passphrase for /home/arh1/.ssh/id_rsa: 
Identity added: /home/arh1/.ssh/id_rsa (/home/arh1/.ssh/id_rsa)
The user must confirm each use of the key # Now this constraint IS respected
arh1@wizzo:~$ ssh-add -l
2048 85:2f:aa:53:6d:f4:8b:9e:91:61:21:f3:84:23:79:7f /home/arh1/.ssh/id_rsa (RSA)
arh1@wizzo:~$ ssh-add -D
All identities removed.
arh1@wizzo:~$ ssh-add -l
The agent has no identities.
arh1@wizzo:~$