[Issue] SSH key management

[ahoneybun]

With GNOME the keyring is unlocked once you logged in, currently ssh-agent does not start so you need to manually start it with each terminal and use ssh-add to add the keys manually as well.

[qs5779]

Personally, I never liked how gnome handled ssh keys. There is a package available named "keychain" in the standard repos. It takes a little effort to configure via your login shell, and IIRC you would need to type your password for each key added once per login.

[jokeyrhyme]

Potentially related to #257

[snaggen]

I created a small fix here, to add ssh-agent at the bottom of the stack, like we used to do back in the 90:s
pop-os/cosmic-session#48
That way you only have to run ssh-add once and then it will work for all your windows.

[kdwarn]

Here's my solution, in case others may find it useful. I use alacritty for my terminal emulator and always ssh into a server through it (well, actually via zellij after alacritty, but that's not relevant to this) . The way I start alacritty is with a shortcut, which is Ctrl+Alt+T. Previously, I just had this bound to alacritty. I changed it to ssh-agent alacritty and voila, alacritty starts and ssh-agent is running until that instance of alacritty ends (? I'm not sure that's how to phrase it).

I also added the following to my ~/.ssh/config so keys are automatically added after first time using ssh:

 Host *
     AddKeysToAgent yes

Source: https://super-unix.com/unixlinux/start-a-system-wide-ssh-agent/

[skewballfox]

I created a small fix here, to add ssh-agent at the bottom of the stack, like we used to do back in the 90:s pop-os/cosmic-session#48 That way you only have to run ssh-add once and then it will work for all your windows.

do you think that it might be a good idea to have a config with extra processes that are spawned(and then managed) by cosmic-session? As in providing a similar configuration option to how processes can be managed with sway(example) with the caveat that most things are managed by cosmic-session itself.

I can do a PR for this if this sounds like it's worth implementing

[snaggen]

It sounds like a good idea, and if we are happy to keep ssh separate from the keyring, then it will probably simply the implementation.

But one thing to think about is to handle is adding of new keys bu providing modal UI popups.

I think gnome keyring is unlocked by a Pam module on login, and then attempts to add all keys based on those credentials. If you use a key with another password, it will prompt you. They still lack support for hardware keys, like yubikey. Well, it works, but I would like a modal dialog saying "Touch youbikey to confine presence.".

So, I guess there are benefits to integrating ssh with the keyring, so possibly add it to oo7? Gnome keyring still just spawn ssh-agent under the hood, so there is not really any magic there except trying to auto add your keys on start up.

[skewballfox]

It sounds like a good idea, and if we are happy to keep ssh separate from the keyring, then it will probably simply the implementation.

Well this would be more of a stop-gap to setup services not handled yet by Cosmic, or for things that specific user wants, without resorting to creating hidden desktop entries or systemd user services. I think eventually it should be handled without user configuration.

So, I guess there are benefits to integrating ssh with the keyring, so possibly add it to oo7?

I checked out oo7 yesterday. Right now there is a sizeable PR for adding server mode to oo7, closed to 2400 lines and looks like it was branched from main a few months ago. Personally, I'd rather wait until that's merged before attempting to contribute.

[tarruda]

As a temporary workaround, I've added this to my .profile:

if [ -z "$SSH_AUTH_SOCK" ]; then
    GCR_SSH_SOCK=/run/user/$(id -u)/gcr/ssh
    if [ -S $GCR_SSH_SOCK ]; then
        export SSH_AUTH_SOCK=$GCR_SSH_SOCK
    fi
fi