KDE Wallet (ksshaskpass) is not used to store ssh key passphrases

[birkenbube]

Describe the bug

I have git set up to use password protected ssh keys. Currently I have to type in my keys' password every time to unlock my private key.

On Gnome, gnome-keyring seems to deal with saving ssh keys automatically. On KDE ksshaskpass can be used for this purpose. The ArchWiki has a guide about which environment variables have to be set.

On Aurora, the SSH_ASKPASS variable is set to /usr/libexec/openssh/gnome-ssh-askpass by default, SSH_ASKPASS_REQUIRE is unset. I think SSH_ASKPASS might be set here: /usr/etc/profile.d/gnome-ssh-askpass.sh.

What did you expect to happen?

ksshaskpass should be used to automatically store and retrieve the passphrase for ssh private keys without having to type the passphrase every time the key is used

Output of rpm-ostree status

State: idle
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot
Deployments:
● ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:39
                   Digest: sha256:53252a3c4513b043f879d1595cd14992a1fa6d55803f9a18e13bff8bd7eec0e8
                  Version: 39.20240417.0 (2024-04-17T16:52:18Z)
          LayeredPackages: yakuake

  ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:39
                   Digest: sha256:9981419ab75e2637606cbeeff2050fbe66408490635cf14d732388def3112e74
                  Version: 39.20240416.0 (2024-04-16T21:39:19Z)
          LayeredPackages: yakuake

  ostree-image-signed:docker://ghcr.io/nihaiden/aurora-dx:39
                   Digest: sha256:6f37691e296bffc7c2ba4418643c91151cabc0f47da932423ef0cf1ef781b91a
                  Version: 39.20240409.0 (2024-04-09T16:52:49Z)
          LayeredPackages: yakuake
                   Pinned: yes

Extra information or context

I tried manually setting the environment variables as mentioned in the ArchWiki guide, but they seem to be overridden by the script in /usr/etc/profile.d/.

[m2Giles]

You shouldn't have a /usr/etc/profile.d/gnome-ssh-askpass.sh. That is from openssh-askpass which we do not install by default.

I've just added it for bluefin only and have a sudo-askpass configuration being added since that is a nice to have. But on KDE you should have ksshaskpass.

If you have openssh-askpass on your build, we need to figure out how that got pulled in.

[birkenbube]

Checking after the update with #1156, it seems that openssh-askpass is still installed, alongside ksshaskpass:

rpm -q openssh-askpass ksshaskpass 
openssh-askpass-9.3p1-10.fc39.x86_64
ksshaskpass-5.27.11-1.fc39.x86_64

SSH_ASKPASS is still set to /usr/libexec/openssh/gnome-ssh-askpass, /usr/etc/profile.d/gnome-ssh-askpass.sh is still present.

[m2Giles]

can you see what package is pulling in openssh-askpass

You can use rpm -q --whatrequires openssh-askpass

Since it maybe a weak dependency you may have to also do --whatrecommends and --whatsuggests

[birkenbube]

rpm -q --whatrequires openssh-askpass
no package requires openssh-askpass

rpm -q --whatsuggests openssh-askpass
no package suggests openssh-askpass

rpm -q --whatrecommends openssh-askpass
fuse-sshfs-3.7.3-9.fc39.x86_64

Looking at what requires fuse-sshfs yields:

rpm -q --whatrequires fuse-sshfs
kde-connect-23.08.5-2.fc39.x86_64

[m2Giles]

We'll remove the two files in /etc/profile.d setting SSH_ASKPASS to gnome. This should of been set in /etc/xdg/plasma-workspace/env/ksshaskpass.sh.

[m2Giles]

#1166

Let me know if this if this resolves this.

[birkenbube]

That seems to fix it on the host terminal, awesome.

However, testing a git repo in a distrobox, I get:

ssh_askpass: exec(/usr/bin/ksshaskpass): No such file or directory
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Similarly, in VSCode I get an ssh key password prompt on the graphical git tool.

While trying a few things, I found out that running ssh-add makes things work, both in VSCode and in my distroboxes, at least until a reboot. Is there anything Bluefin/Aurora can do about that or would I have to run ssh-add at login? Or is there a different way I haven't figured out yet?

[m2Giles]

Yes, you will need to run ssh-add on login. gnome-keyring does this automatically on gnome, but for KDE they instead want you to manually specify which identities to add to the agent.

Create a script that simply runs ssh-add. Add that script to your autostart in KDE system settings.

[birkenbube]

Ok, I finally got it working. I added a script with

#!/bin/bash
ssh-add ~/.ssh/my_key_name

and added it via the KDE autostart settings. Strangely, it would not run the script at first. I figured out, that editing the script (simply adding a line break) and saving it after adding it via the settings made it work, very weird.

But it is working now, thank you so much for your help @m2Giles! Ublue is awesome! 👍

[m2Giles]

@birkenbube After further investigation. The second environment variable seems to break ssh inside of distroboxes. So it is being removed. ksshaskpass is still being set as the SSH_ASKPASS, but it will only prompt when there is no input now.

[birkenbube]

@m2Giles Thanks for the heads-up. Changed my script to:

#!/bin/bash
ssh-add ~/.ssh/my_key_name < /dev/null

That seems to be the officially recommended way of invoking ksshaskpass anyway...

[m2Giles]

Yeah, its kinda mixed. Since the kdewallet integration only appears if ksshaskpass appears which is won't if you are invoking ssh-add/ssh from a terminal