ssh-agent, kwallet-pam, ssh-add and ksshaskpass under Plasma

Auto-unlocking of SSH keys through KWallet had been broken for me for a while. I finally got around to fixing it, so just tossing this out there in case someone is in the same boat.

I’m on Arch Linux, but the steps should be the same on other distributions I think.

Step 1: Install and configure kwallet-pam

pacman -S kwallet-pam

and load the modules from your /etc/pam.d/sddm:

#%PAM-1.0

auth            include         system-login
auth            optional        pam_kwallet5.so
auth            optional        pam_kwallet.so kdehome=.kde4
account         include         system-login
password        include         system-login
session         include         system-login
session         optional        pam_kwallet5.so auto_start
session         optional        pam_kwallet.so

This way, your KWallet is unlocked when you login. Note that your login and KWallet passwords must match, you must use Blowfish encryption for the wallet (not GPG), and the name of the wallet must be kdewallet (the default).

Step 2: Start ssh-agent through a systemd user unit file

Create ~/.config/systemd/user/ssh-agent.service with:

[Unit]
Description=SSH key agent

[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK

[Install]
WantedBy=basic.target

and enable the service with systemctl --user enable ssh-agent. Make sure you use WantedBy=basic.target and not WantedBy=default.target, as at least I had problems with ssh-agent not starting early enough with the latter.

Step 3: Install and configure ksshaskpass

pacman -S ksshaskpass

Then create /etc/profile.d/sshaskpass.sh with:

#!/bin/bash
export SSH_ASKPASS="/usr/bin/ksshaskpass"

This way, ksshaskpass, which will store your passphrase in your wallet, will be the preferred program to unlock your SSH keys.

Step 4: Run ssh-add on Plasma start

Create ~/config/autostart-scripts/ssh-add.sh with:

#!/bin/sh

export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"

ssh-add < /dev/null

Setting SSH_AUTH_SOCK is necessary, since apparently .bashrc is not picked up. Make sure you make the script executable with chmod +x.

Step 5: Export SSH_AUTH_SOCK also in ~/.bashrc

Make sure you have

export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"

also in .bashrc.

Hope this can be of use to someone else!

One thought on “ssh-agent, kwallet-pam, ssh-add and ksshaskpass under Plasma

  1. And just as a note to self: If you want auto-login, just drop the lines in /etc/pam.d/sddm and change your wallet password to an empty string. Security-wise not the best thing to do, but convenient!

Leave a Reply

Your email address will not be published. Required fields are marked *