[opensuse-xfce] Re: Should I enable GNOME services?
(tried to post via gmane, but it didn't work) Guido Berhoerster <gber@opensuse.org> writes: Hello, few days ago I tried latest Xfce on my netbook and now I got rid of GNOME and running Xfce on both of my machines. Great work!! However, I have a problem deploying keychain which can handle both ssh & gpg agents considering that gpg-agent component is broken with gpg-2.1 in gnome-keyring.
No, that is not sufficient, gnome-keyring sets some environment variables which xfce4-session must know and that only works if you enable GNOME compatibility mode. If you just use autostart gnome-keyring may be running but applications will not be aware of it.
I disabled autostarting of both ssh & gpg agents, but kept PolicyKit Auth. agent autostarting. I wonder if or for what would I need gnome-keyring? The problem is that afte launching Xfce session I see the following output for 'ps ax | grep agent': 2173 ? Ss 0:00 /usr/bin/ssh-agent /usr/bin/gpg-agent --sh --daemon --keep-display --write-env-file /home/gour/.gnupg/agent.info-atmarama:0 /etc/X11/xinit/xinitrc 2174 ? Ss 0:00 /usr/bin/gpg-agent --sh --daemon --keep-display --write-env-file /home/gour/.gnupg/agent.info-atmarama:0 /etc/X11/xinit/xinitrc 2212 ? Sl 0:00 /usr/lib/polkit-gnome-authentication-agent-1 so I wonder who/what is launching the agents? Moreover, I also see gnome-keyring running: 28512 ? Sl 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login 28842 ? S 0:00 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets and also wonder who start it? Moreover, when I try to kill gnome-keyring, logout, then re-login, keychain invokes askpasswd dialog for both ssh & gpg, but the login process does not finish and I'm thrown back to lightdm screen. Inspecting X.org.log I found stuff like: [ 23750.839] (EE) systemd-logind: failed to get session: PID 28341 does not belong to any known session but I'm not sure whether this the reason of not being able to start Xfce GUI session? This happens when I configure keychain to kick in for interactive shell session. When I tried to setup keychain to fire on login session then right after entering passwd in lightdm dialog, I get askpasswd helpers for ssh & gpg agent, but, same as before, launching of GUI session is not completed, Xfce4 session dies and I'm back to login manager (lightdm) screen. I'm *very* happy with Xfce and want to stay with it, but, otoh, need working ssh agent when logging to remote servers as well as gpg agent considering I'm signing my email and commit messages. I'm optimistic that keychain (which has support for gpg-2.1.) can me made to work, but it looks I'm simply missing some details not being familiar enough how gnome-keyring and agents are started under openSUSE. Any hint? Sincerely, Gour -- -- To unsubscribe, e-mail: opensuse-xfce+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-xfce+owner@opensuse.org
* Gour <gour@atmarama.net> [2015-03-23 22:49]:
(tried to post via gmane, but it didn't work)
Guido Berhoerster <gber@opensuse.org> writes:
Hello,
few days ago I tried latest Xfce on my netbook and now I got rid of GNOME and running Xfce on both of my machines. Great work!!
However, I have a problem deploying keychain which can handle both ssh & gpg agents considering that gpg-agent component is broken with gpg-2.1 in gnome-keyring.
No, that is not sufficient, gnome-keyring sets some environment variables which xfce4-session must know and that only works if you enable GNOME compatibility mode. If you just use autostart gnome-keyring may be running but applications will not be aware of it.
I disabled autostarting of both ssh & gpg agents, but kept PolicyKit Auth. agent autostarting.
OK, please don't conflate them, apart from the word "agent" they have nothing in common, no working PolicyKit agent means you won't be able to do much with you GUI any more.
I wonder if or for what would I need gnome-keyring?
Like its KDE counterpart kwallet it offers a generic API to store credentials for many applications, e.g. gvfs-mounts. The SSH and now broken GPG agent are just some addons on top of that.
The problem is that afte launching Xfce session I see the following output for 'ps ax | grep agent':
2173 ? Ss 0:00 /usr/bin/ssh-agent /usr/bin/gpg-agent --sh --daemon --keep-display --write-env-file /home/gour/.gnupg/agent.info-atmarama:0 /etc/X11/xinit/xinitrc 2174 ? Ss 0:00 /usr/bin/gpg-agent --sh --daemon --keep-display --write-env-file /home/gour/.gnupg/agent.info-atmarama:0 /etc/X11/xinit/xinitrc 2212 ? Sl 0:00 /usr/lib/polkit-gnome-authentication-agent-1
so I wonder who/what is launching the agents?
/usr/bin/ssh-agent and /usr/bin/gpg-agent are from openssh and gnupg and they are launched by /etc/X11/xdm/sys.xsession when you log in because no other GPG and SSH agents (like the ones provided by gnome-keyring) are running. See the comments on top of that file for and explanation and a way to disable/replace them. /usr/lib/polkit-gnome-authentication-agent-1 is the PolicyKit authentication agent and started via xdg autostart if you have gnome-polkit installed, don't disable it.
Moreover, I also see gnome-keyring running:
28512 ? Sl 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login 28842 ? S 0:00 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
and also wonder who start it?
Your display manager does via PAM, that is needed so that it can be unlocked at login time. If you've disabled "Launch GNOME services on startup" in the Xfce settings it will not start it's own GPG and SSH agents and interfere with other GPG and SSH agents in any way.
Moreover, when I try to kill gnome-keyring, logout, then re-login,
It will be automatically started again when you log in, but that is not a problem, see above.
keychain invokes askpasswd dialog for both ssh & gpg, but the login process does not finish and I'm thrown back to lightdm screen.
Inspecting X.org.log I found stuff like:
[ 23750.839] (EE) systemd-logind: failed to get session: PID 28341 does not belong to any known session
but I'm not sure whether this the reason of not being able to start Xfce GUI session?
This happens when I configure keychain to kick in for interactive shell session.
When I tried to setup keychain to fire on login session then right after entering passwd in lightdm dialog, I get askpasswd helpers for ssh & gpg agent, but, same as before, launching of GUI session is not completed, Xfce4 session dies and I'm back to login manager (lightdm) screen.
I'm *very* happy with Xfce and want to stay with it, but, otoh, need working ssh agent when logging to remote servers as well as gpg agent considering I'm signing my email and commit messages.
Sorry, I'm not familiar with keychain and how it works. From the above it is also not clear how you invoke it and why you want to enter a password while logging in.
I'm optimistic that keychain (which has support for gpg-2.1.) can me made to work, but it looks I'm simply missing some details not being familiar enough how gnome-keyring and agents are started under openSUSE.
Any hint?
Have you tried just using the GnuPG's gpg-agent with pinentry-gtk2? -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-xfce+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-xfce+owner@opensuse.org
Guido Berhoerster <gber@opensuse.org> writes:
no working PolicyKit agent means you won't be able to do much with you GUI any more.
OK, that's clear now. Thank you.
/usr/bin/ssh-agent and /usr/bin/gpg-agent are from openssh and gnupg and they are launched by /etc/X11/xdm/sys.xsession when you log in because no other GPG and SSH agents (like the ones provided by gnome-keyring) are running. See the comments on top of that file for and explanation and a way to disable/replace them.
Ahh, that was the missing link. :-) After I disabled them, iow. #usessh=yes #usegpg=yes as well as commented the following: #if test -s "$HOME/.myagents" ; then # eval $(grep -E '^use.*=.*' "$HOME/.myagents") #else # grep -Eq '^enable-ssh-support' "$HOME/.gnupg/gpg-agent.conf" && usessh=gpg #fi everythihng works very nicely. Now I get: $ps ax | grep agent 2160 ? Ss 0:00 ssh-agent 2186 ? Ss 0:00 gpg-agent --daemon 2414 ? Sl 0:00 /usr/lib/polkit-gnome-authentication-agent-1
Your display manager does via PAM, that is needed so that it can be unlocked at login time. If you've disabled "Launch GNOME services on startup" in the Xfce settings it will not start it's own GPG and SSH agents and interfere with other GPG and SSH agents in any way.
Another useful piece of info!
Sorry, I'm not familiar with keychain and how it works. From the above it is also not clear how you invoke it and why you want to enter a password while logging in.
I'm humbly asking you to take a look at: http://www.funtoo.org/Keychain https://github.com/funtoo/keychain It's mature software working for years and it has support for gpg-2.1. Now, I'm invoking it from my ~/.config/fish/config.fish with: # Keychain if status --is-login keychain --eval --quiet -Q id_rsa | source keychain --eval --quiet -Q mygpgid | source end and during login it invokes dialog to enter passwords for my ssh and gpg key and then I can forget about re-entering them again. Please, condider to deploy keychain instead of the present trickery in sys.xsession. Sincerely, Gour -- Even if you are considered to be the most sinful of all sinners, when you are situated in the boat of transcendental knowledge you will be able to cross over the ocean of miseries. -- To unsubscribe, e-mail: opensuse-xfce+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-xfce+owner@opensuse.org
* Gour <gour@atmarama.net> [2015-03-24 10:57]:
Guido Berhoerster <gber@opensuse.org> writes:
no working PolicyKit agent means you won't be able to do much with you GUI any more.
OK, that's clear now. Thank you.
/usr/bin/ssh-agent and /usr/bin/gpg-agent are from openssh and gnupg and they are launched by /etc/X11/xdm/sys.xsession when you log in because no other GPG and SSH agents (like the ones provided by gnome-keyring) are running. See the comments on top of that file for and explanation and a way to disable/replace them.
Ahh, that was the missing link. :-)
After I disabled them, iow.
#usessh=yes
#usegpg=yes
as well as commented the following:
#if test -s "$HOME/.myagents" ; then # eval $(grep -E '^use.*=.*' "$HOME/.myagents") #else # grep -Eq '^enable-ssh-support' "$HOME/.gnupg/gpg-agent.conf" && usessh=gpg #fi
everythihng works very nicely.
Now I get:
$ps ax | grep agent 2160 ? Ss 0:00 ssh-agent 2186 ? Ss 0:00 gpg-agent --daemon 2414 ? Sl 0:00 /usr/lib/polkit-gnome-authentication-agent-1
Well that will not work, the next update to xdm will overwrite your changes to /etc/X11/xdm/sys.xsession. Please read the comments there, you should instead create ~/.myagents with the lines usessh=no usegpg=no if you want to override the defaults.
Your display manager does via PAM, that is needed so that it can be unlocked at login time. If you've disabled "Launch GNOME services on startup" in the Xfce settings it will not start it's own GPG and SSH agents and interfere with other GPG and SSH agents in any way.
Another useful piece of info!
Sorry, I'm not familiar with keychain and how it works. From the above it is also not clear how you invoke it and why you want to enter a password while logging in.
I'm humbly asking you to take a look at:
http://www.funtoo.org/Keychain
https://github.com/funtoo/keychain
It's mature software working for years and it has support for gpg-2.1.
Now, I'm invoking it from my ~/.config/fish/config.fish with:
# Keychain if status --is-login keychain --eval --quiet -Q id_rsa | source keychain --eval --quiet -Q mygpgid | source end
and during login it invokes dialog to enter passwords for my ssh and gpg key and then I can forget about re-entering them again.
Please, condider to deploy keychain instead of the present trickery in sys.xsession.
I'm the wrong person for that, sys.xsession and the other scripts from the xdm package contain distribution-wide defaults and affect all other desktops as well, so any changes to that should be discussed on the opensuse-factory list and with the xdm package maintainers. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-xfce+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-xfce+owner@opensuse.org
participants (2)
-
Gour -
Guido Berhoerster