The default GNOME keyring (gnome-keyring-daemon) provides an inferior version
of ssh-agent. The GNOME
version
doesn't support ED25519 keys,
and it doesn't have proper support for removing keys. I figured out a kind of
elegant way to fix this in Fedora 24 which should be compatible in the future
with the bright and glorious Wayland future, including with
gdm-wayland-session.
First I disabled the SSH component of gnome-keyring-daemon by removing the
Autostart lines from /etc/xdg/autostart/gnome-keyring-ssh.desktop. From a
clean install of GNOME/Fedora you should see after doing this that upon login
SSH_AUTH_SOCK is no longer set.
Next I created a systemd user unit file at
~/.config/systemd/user/ssh-agent.service with the following content:
[Unit]
Description=OpenSSH private key agent
IgnoreOnIsolate=true
[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=${SSH_AUTH_SOCK}
[Install]
WantedBy=default.target
I also enabled this unit with systemctl --user enable ssh-agent.service. After
doing this, upon logging in to a GNOME session you should see that
SSH_AUTH_SOCK is still not set, but now you will see that an ssh-agent
process is started with a command like /usr/bin/ssh-agent -a /run/user/1000/ssh-agent.socket. You'll also see that systemctl --user show-environment has the correct value for SSH_AUTH_SOCK.
Finally I put this in my ~/.bash_profile:
eval $(systemctl --user show-environment | grep SSH_AUTH_SOCK)
export SSH_AUTH_SOCK
This will cause the right value for SSH_AUTH_SOCK to be propagated to your X11
session. This works because gdm-x-session sources ~/.bash_profile when
logging in (or at least it does on Fedora).
From what I understand from the GNOME bugzilla, gdm-wayland-session will
automatically know how to get SSH_AUTH_SOCK from the systemd user session, I
believe starting in GNOME 3.22. This means in the future you won't need these
lines in ~/.bash_profile.