What I'm doing to use a Yubikey in Fedora 24's Cinnamon desktop environment
On my desktop machines, I run a fully custom window manager environment
where I had almost no problems integrating my Yubikey into my regular
environment; most of what it took was some mild hacks to my special
screensaver stuff. However, I also have
an office laptop that uses a Cinnamon-based environment and I wanted to be able to use the
Yubikey there. That turned out to be rather more difficult, because
Cinnamon normally handles SSH agent stuff through
The problem with using g-k-d is simple;
is pretty bad at dealing with SSH keys. Well, perhaps 'limited'
is a more charitable label. It still doesn't support ED25519 keys,
for example. But in this case the really fatal limitation is that
it appears to have no support for using PKCS#11 shared library
providers. Since Yubikey-hosted SSH keys can only be accessed through
just such a shared library,
gnome-keyring-daemon is unable to
host them. This means that if you want to have Yubikeys managed
through your SSH agent instead of having to unlock them with your
PIN every time you use them, you can't let
be your SSH agent; instead you need to be using the real
At least on my Fedora 24 install, the session stuff was already
ssh-agent process. It was just being preempted by part
gnome-keyring-daemon setup. Perhaps in a normal Gnome 3
environment there is some graphical way of turning this off, but I
couldn't find anything in my Cinnamon settings. Instead you have to
do this by hand, like so:
- Make a
~/.config/autostartdirectory if you don't already have one.
- Edit your copy to delete or rename the
X-GNOME-Autostart-Notifysettings. Possibly you only need to get the first one.
Now log out and log back in again, and you should be using the real
ssh-agent instead of
gnome-keyring-daemon's emulation of it.
You can see which one you're using based on the value of the
$SSH_AUTH_SOCK environment variable; if it's of the form
/run/user/<uid>/keyring/ssh, you're still using
ssh-agent gives you values that look like
ssh-agent process is started in
which in Fedora comes from the xorg-x11-xinit package. You probably
have it installed by default, at least in a Cinnamon-based environment.)
Once you're using the real
ssh-agent, you can add the Yubikey
hosted SSH keys to it with the usual '
/usr/lib64/opensc-pkcs11.so' and so on. I wrote a script for this,
which I can easily run through my Cinnamon customizations. Since I only use my laptop infrequently,
I haven't explored things like integration into screen locking;
it's enough for me that I can use my Yubikey through the laptop if
I really need to, it doesn't have to be as convenient or polished
as I want it to be on my desktop.
Information for this entry comes from Using ssh-agent and ED25519
keys on GNOME,
the Arch wiki entry on the GNOME keyring daemon,
and this entry on using gpg-agent with GNOME.
gconftool-2 stuff from this askubuntu question and
doesn't work for me.
(It turns out that lots of people are unhappy with having
gnome-keyring-daemon act as their SSH agent. Possibly I
should have hunted this down years ago just so I could use
ED25519 keys on my laptop.)