Using ssh-agent and ED25519 Keys on GNOME

The default GNOME keyring (gnome-keyring-daemon) provides an inferior version of ssh-agent. The GNOME version doesn’t support ED25519 keys, and it doesn’t have proper support for removing keys. I figured out a kind of elegant way to fix this in Fedora 24 which should be compatible in the future with the bright and glorious Wayland future, including with gdm-wayland-session.

First I disabled the SSH component of gnome-keyring-daemon by removing the Autostart lines from /etc/xdg/autostart/gnome-keyring-ssh.desktop. From a clean install of GNOME/Fedora you should see after doing this that upon login SSH_AUTH_SOCK is no longer set.

Next I created a systemd user unit file at ~/.config/systemd/user/ssh-agent.service with the following content:

[Unit]
Description=OpenSSH private key agent
IgnoreOnIsolate=true

[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=${SSH_AUTH_SOCK}

[Install]
WantedBy=default.target

I also enabled this unit with systemctl --user enable ssh-agent.service. After doing this, upon logging in to a GNOME session you should see that SSH_AUTH_SOCK is still not set, but now you will see that an ssh-agent process is started with a command like /usr/bin/ssh-agent -a /run/user/1000/ssh-agent.socket. You’ll also see that systemctl --user show-environment has the correct value for SSH_AUTH_SOCK.

Finally I put this in my ~/.bash_profile:

eval $(systemctl --user show-environment | grep SSH_AUTH_SOCK)
export SSH_AUTH_SOCK

This will cause the right value for SSH_AUTH_SOCK to be propagated to your X11 session. This works because gdm-x-session sources ~/.bash_profile when logging in (or at least it does on Fedora).

From what I understand from the GNOME bugzilla, gdm-wayland-session will automatically know how to get SSH_AUTH_SOCK from the systemd user session, I believe starting in GNOME 3.22. This means in the future you won’t need these lines in ~/.bash_profile.