I recently read an article about the password encryption of SSH keys, stating that the old SSH format is useless and insecure. The article explained an option how to use the new format, or just use ed25519 keys, as they use the new format by default.
So I created a new ed25519 key, and expected everything to work fine. It did not, as Gnome Keyring, which acts on my MATE system as SSH agent, doesn’t support ed25519 keys. Great.
Fortunately there’s a tool which supports ECC keys in 2018, namely
ssh-agent. Next problem: gnome-keyring and ssh-agent battle over the
SSH_AUTH_SOCK environment variable.
Here’s the setup you need to get ssh-agent running on MATE, use it as your default SSH agent and add the keys on first use.
First, start the ssh-agent on startup. Edit your shell startup script
~/.zshrc, etc.) and add the following snippet:
# Start SSH agent if [ -z "$SSH_AUTH_SOCK" ] ; then eval `ssh-agent -s` fi
Now edit your SSH config file to add keys on first use
to the agent. Add the following snippet to
Host * AddKeysToAgent yes
The last step is to disable the gnome-keyring SSH component. I found the missing clue in this blog post.
First, disable some stuff with gsettings:
gsettings set org.mate.session gnome-compat-startup "['smproxy']"
Now run the
mate-session-properties tool and uncheck the checkbox
in front of “SSH Agent” and restart your system.
You can check if it’s working:
echo $SSH_AUTH_SOCK should output something like
ssh-add -L should show no keys. Now
use the key for the first time. It should ask for the key password and
add it automatically to the agent. Now
ssh-add -L shows your key, and
the next time you use your key, no password will be required.