8

I have ssh keys set up and I can see my key in KWalletManager under ksshaskpass. How do I get it so that I am not asked for my ssh passphrase eg. every time I do something in Git. (It says: "Enter passphrase for key ...")

What I would like is that my KDE login is the only time I am asked for a password (as in Cinnamon and Gnome). I guess that this should result in some kind of interaction between KWallet and ssh so that my passphrase is auto-entered into ssh. I've tried searching for information but could not find a step by step solution for Kubuntu. What do I need to do?

mcarans
  • 565

3 Answers3

4

While the instructions here are broadly correct, I had to make some changes to make it work.

Step 1, "Unlock KDE Wallet automatically on login", is already done for Kubuntu 22.10. For me, step 2, "Using the KDE Wallet to store ssh key passphrases", needed modification and step 3, "Using the KDE Wallet to store Git credentials" was not needed (Git with ssh works fine without it):

  1. I made a file ~/.local/bin/delayed_ssh_add

  2. I put the following lines in that file:

#!/bin/bash
sleep 15
/usr/bin/ssh-add -k ~/.ssh/YOUR_SSH_KEY

You can add as many ssh keys as you like using /usr/bin/ssh-add -k .... Note that I found that I had to use the full path to the ssh key starting from /home rather than using ~ for my home directory.

  1. I made the file executable

  2. I made a file ~/.config/autostart/delayed-ssh-add.desktop

  3. I put in it:

[Desktop Entry]
Comment[en_NZ]=
Comment=
Exec=/home/YOUR_HOME_FOLDER/.local/bin/delayed_ssh_add
GenericName[en_NZ]=
GenericName=
MimeType=
Name[en_NZ]=delayed-ssh-add
Name=delayed-ssh-add
Path=
StartupNotify=true
Terminal=false
TerminalOptions=
Type=Application
X-DBUS-ServiceName=
X-DBUS-StartupType=none
X-KDE-SubstituteUID=false
X-KDE-Username=
  1. I made a file ~/.config/environment.d/ssh_askpass.conf

  2. I put in it:

SSH_ASKPASS='/usr/bin/ksshaskpass'
SSH_ASKPASS_REQUIRE=prefer

To explain the above, the change I made was to add the ssh keys after a delay of 15 seconds rather than immediately. I speculate that this is because KWallet or a related service starts after autostart applications begin executing as I also had to delay launching Skype (for which I can also see credentials in KWalletManager).

In case of interest to Python coders: to get GitHub requirements in requirements.txt in a Python project working without prompting for a password, I had to use the following form rather than https:

git+ssh://git@github.com/anntzer/defopt@main#egg=defopt

mcarans
  • 565
  • I found that the linked instructions from the Arch Linux wiki worked for me... (On Kubuntu 22.04.) – Adam L. Taylor Jul 24 '23 at 19:35
  • 2
    Confirmed working for me, Debian 12 stable, KDE v5.27.5, 2023-08-27. I began to followed the instructions in Arch Wiki https://wiki.archlinux.org/title/KDE_Wallet. Which doesn't work (ssh-add -l shows empty). I fixed by adding ssh-add in the ~/.zshrc. But found it not elegant b/c the ssh-add is re-run in every tab opened in kconsole. The solution suggested by @mcarans works exactly as described by the author. The sleep 15 happens in the background and doesn't slow down KDE Plasma startup. – Polymerase Aug 27 '23 at 06:12
2

On Ubuntu Studio 23.04 with KDE Plasma I used the systemd approach from @lightsing mentioned by @Polymerase.

Also with ssh > 7.2 you can instruct the ssh client via .ssh/config to always add keys to a running ssh agent, so there's no need to ssh-add it. This makes it much easier. A thread to this is here: How to get asked for SSH key passphrase once and only when needed?

This appoach works for me with ssh connections on the terminal, with github and with Apache Netbeans.

Install ssh-agent as systemd service

  • create file in ~/.config/systemd/user/ssh-agent.service because ssh-agent is user isolated
[Unit]
Description=SSH key agent

[Service] Type=simple Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK

[Install] WantedBy=default.target

  • create ~/.config/environment.d/ssh_auth_socket.conf and add
SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-agent.socket"
  • add AddKeysToAgent yes to ~/.ssh/config
  • do chmod 600 ~/.ssh/config and chown $USER ~/.ssh/config to avoid security warnings from ssh
  • enable and start the service: systemctl --user enable --now ssh-agent

Install ksshaskpass

sudo apt install ksshaskpass

Add environment variables

Create ~/.config/environment.d/ssh_askpass.conf and add

SSH_ASKPASS='/usr/bin/ksshaskpass'
SSH_ASKPASS_REQUIRE=prefer

Log out and in again

To activate all environment variables log out and in again. From now on, the KWallet should manage the passwords.

g4rf
  • 21
0

The answer by @mcarans is perfectly working. Step 6 above (setting SSH pinentry to ksshaskpass by creating ~/.config/environment.d/ssh_askpass.conf) could be simplified by:

# check
update-alternatives --list ssh-askpass
# /usr/bin/kssaskpass

set if needed

update-alternatives --force --verbose --set ssh-askpass /usr/bin/kssaskpass

Not described in the answer but, you must ensure ssh-agent is started. You see often the eval $(ssh-agent) command is suggested. But I find it is more convenient to How to start and use ssh-agent as systemd service?

In fact, the ssh-agent service might be already enabled and started. At least with Debian 12, KDE. The ssh-agent is already running without me doing anything.