Update: As of Mate 1.20.3, shipped with Fedora 29, this is no longer necessary. When you use the key for the first time a prompt pops up, asking for the password.

I recently read an article about the password encryption of SSH keys, stating that the old SSH format is useless and insecure. The article explained an option how to use the new format, or just use ed25519 keys, as they use the new format by default.

So I created a new ed25519 key, and expected everything to work fine. It did not, as Gnome Keyring, which acts on my MATE system as SSH agent, doesn’t support ed25519 keys. Great.

Fortunately there’s a tool which supports ECC keys in 2018, namely ssh-agent. Next problem: gnome-keyring and ssh-agent battle over the SSH_AUTH_SOCK environment variable.

Here’s the setup you need to get ssh-agent running on MATE, use it as your default SSH agent and add the keys on first use.

First, start the ssh-agent on startup. Edit your shell startup script (~/.bashrc, ~/.zshrc, etc.) and add the following snippet:

# Start SSH agent
if [ -z "$SSH_AUTH_SOCK" ] ; then
  eval `ssh-agent -s`
fi

Now edit your SSH config file to add keys on first use to the agent. Add the following snippet to ~/.ssh/config:

Host *
  AddKeysToAgent yes

The last step is to disable the gnome-keyring SSH component. I found the missing clue in this blog post.

First, disable some stuff with gsettings:

gsettings set org.mate.session gnome-compat-startup "['smproxy']"

Now run the mate-session-properties tool and uncheck the checkbox in front of “SSH Agent” and restart your system.

You can check if it’s working:

echo $SSH_AUTH_SOCK should output something like /tmp/ssh-xxxxxxx/agent.xxxx and ssh-add -L should show no keys. Now use the key for the first time. It should ask for the key password and add it automatically to the agent. Now ssh-add -L shows your key, and the next time you use your key, no password will be required.

Back to posts