Using Gnome Keyring to save ssh passphrase

I use gnome-keyring-daemon to manage my ssh keys.

On my laptop, the first time I use a new key, it prompts me for a passphrase, and gives me an option to save the passphrase to the keyring.

On my Librem5, I do not get the option to save it to the keyring, presumably because the dialog being displayed is a modified version on the phone? (Trying in convergent mode still gives the same dialog)

Is there something I am missing, a way to work around this issue, or an alternative solution? It is not critical, but slightly annoying, because I have several keys, with long passphrases.

You might have a look at the Passwords and Keys app. No guarantees, though.

For clarity, I think the Passwords and Keys application uses the terms “password” and “key” quite differently from each other - even though both are potential ways to login to a remote host via ssh. A password is text that you type in to log in via the SSH password authentication method (“something that you know”) - whereas a key is some long binary value that is stored on the client (“something that you have”) to log in via the SSH publickey authentication method. (The remote host determines all the combinations of authentication methods that are required to succeed for a successful login to occur.)

For passwords, whatever is stored in the keyring is protected by the passphrase for the keyring itself. And the keyring (the right keyring) has to exist, which means it has to be created at some point, and it has to be unlocked.

Are you using Geary on your phone? I know Geary creates a keyring for its own use (and in the process asks for the passphrase for the keyring itself).

ls -l .local/share/keyrings
to see what keyrings exist.

Do you control the hosts that you are logging in to remotely?

Possibly the difference is that the laptop is using the default keyring (Login?) and unlocking it automatically on login. You should be able to use Passwords and Keys on the laptop to confirm (or refute) all of that.

1 Like

Thanks for the replies.

In case I was not clear, this is the setup on my laptop:
I have several ssh keys, that are protected with passphrases. These passphrases are saved in the Default keyring, and gnome-keyring acts as my ssh-agent. When I want to use the keys, I only have to unlock the keyring, with a master password, instead of having to unlock each key individually.

The details of the keyring entry looks something like this:

unique ssh-store:/home/user/.ssh/id_rsa

To answer your questions

I do use Geary, on my Librem5, and I can confirm that the default keyring does exist.

-rw-r--r-- 1 purism purism   15 Mar 16 23:08 default
-rw------- 1 purism purism 8328 Apr  5 21:41 Default_keyring.keyring
-rw------- 1 purism purism  105 Mar 27 22:24 Login.keyring
-rw------- 1 purism purism    0 Mar 16 23:08 user.keystore

I connect to a variety of hosts, some which I control, but I also use ssh for connection with github.