What I'm doing to use a Yubikey in Fedora 24's Cinnamon desktop environment

October 26, 2016

On my desktop machines, I run a fully custom window manager environment where I had almost no problems integrating my Yubikey into my regular environment; most of what it took was some mild hacks to my special screensaver stuff. However, I also have an office laptop that uses a Cinnamon-based environment and I wanted to be able to use the Yubikey there. That turned out to be rather more difficult, because Cinnamon normally handles SSH agent stuff through gnome-keyring-daemon.

The problem with using g-k-d is simple; gnome-keyring-daemon is pretty bad at dealing with SSH keys. Well, perhaps 'limited' is a more charitable label. It still doesn't support ED25519 keys, for example. But in this case the really fatal limitation is that it appears to have no support for using PKCS#11 shared library providers. Since Yubikey-hosted SSH keys can only be accessed through just such a shared library, gnome-keyring-daemon is unable to host them. This means that if you want to have Yubikeys managed through your SSH agent instead of having to unlock them with your PIN every time you use them, you can't let gnome-keyring-daemon be your SSH agent; instead you need to be using the real ssh-agent.

At least on my Fedora 24 install, the session stuff was already starting a ssh-agent process. It was just being preempted by part of the gnome-keyring-daemon setup. Perhaps in a normal Gnome 3 environment there is some graphical way of turning this off, but I couldn't find anything in my Cinnamon settings. Instead you have to do this by hand, like so:

  1. Make a ~/.config/autostart directory if you don't already have one.
  2. Copy /etc/xdg/autostart/gnome-keyring-ssh.desktop to it.
  3. Edit your copy to delete or rename the X-GNOME-Autostart, X-GNOME-AutoRestart, and X-GNOME-Autostart-Notify settings. Possibly you only need to get the first one.

Now log out and log back in again, and you should be using the real ssh-agent instead of gnome-keyring-daemon's emulation of it. You can see which one you're using based on the value of the $SSH_AUTH_SOCK environment variable; if it's of the form /run/user/<uid>/keyring/ssh, you're still using gnome-keyring-agent. The real ssh-agent gives you values that look like /tmp/ssh-<blah>/agent.<pid>.

(The ssh-agent process is started in /etc/X11/xinit/xinitrc-common, which in Fedora comes from the xorg-x11-xinit package. You probably have it installed by default, at least in a Cinnamon-based environment.)

Once you're using the real ssh-agent, you can add the Yubikey hosted SSH keys to it with the usual 'ssh-add -s /usr/lib64/opensc-pkcs11.so' and so on. I wrote a script for this, which I can easily run through my Cinnamon customizations. Since I only use my laptop infrequently, I haven't explored things like integration into screen locking; it's enough for me that I can use my Yubikey through the laptop if I really need to, it doesn't have to be as convenient or polished as I want it to be on my desktop.

Information for this entry comes from Using ssh-agent and ED25519 keys on GNOME, the Arch wiki entry on the GNOME keyring daemon, and this entry on using gpg-agent with GNOME. Sadly, the gconftool-2 stuff from this askubuntu question and its answers doesn't work for me.

(It turns out that lots of people are unhappy with having gnome-keyring-daemon act as their SSH agent. Possibly I should have hunted this down years ago just so I could use ED25519 keys on my laptop.)

Written on 26 October 2016.
« On classifying phish spam as malware, an update
Why I'm unhappy with how Debian builds from source packages right now »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Oct 26 01:36:07 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.