(*** This bug was imported into bugs.kde.org ***) Package: kdm Version: KDE 3.0.0 Severity: wishlist Installed from: RedHat RPMs Compiler: gcc OS: Linux OS/Compiler notes: RedHat 7.3 There is no way within KDE for a user to have his session run with (or probably actually within) an instance of ssh-agent. ssh-agent is required for such things as :ext: ssh access with cervisia (a kde application). Searching google for this it appears that the common way is to hack the system wide script that executes startkde on behalf of the user. This appears to be completely undocumented on kde.org. The standard methods recommended in ssh documents and books don't work because KDE doesn't use .xsession. There should be some way for a user to specify that she wants her session to run under/with ssh-agent. (Submitted via bugs.kde.org)
*** Bug 53051 has been marked as a duplicate of this bug. ***
People using key-chian need this feature a lot, gdm seems to support already ssh-agents and ssh-askpass at startup, looking at that code may be a good idea.
At least on Debian ssh-agent is just run even before KDE (or any other X11 session). It is done by just running xsession as the command /usr/bin/ssh-agent /usr/bin/x-session-manager The exact details how to reproduce depend on the distribution. In debian there is nice Xsession.d convention: - /etc/X11/Xsession delegates most processing to /etc/X11/Xsession.d/* subscripts - one of the first of those scripts sets STARTUP shell variable to the correctly detected session manager - the entry for ssh-agent resets STARTUP variable to "/usr/bin/ssh-agent $STARTUP" - last of those scripts runs X session using $STARTUP
By the way: there is second program which require similar to ssh-agent integration - gpg-agent used by kmail S/MIME and GPG handlers. Its integration is even a bit harder as it doesn't handle parent-process way of merging with X and requires trick like running from Xsession eval `gpg-agent --daemon`
Summarizing my remarks: it seems to me that the best way to run ssh-agent and gpg-agent is to spawn them before KDE, from Xsession. Nevertheless, KDE could provide some docs&examples of how to do it and even more importantly, the applications which require usage of one of those agents could display detailed help when they are run and detect that the agent are not present. There is also a problem when some machine user needs this feature and he or she is not able to reconfigure global Xsession and even not able to configure his own Xsession (the case when root don't want those agents and don't allow for user Xsessions). In this case KDE could probably help somehow.
Running ssh-agent/gpg-agent is better than running no agent at all (and for example Suse distributes a standard setup that already does this). Still, even if these two agents are already running they still know nothing about he KDE wallet infrastructure and so I have to type my password to login, type my password to unlock the wallet, type my password to load ssh-agent and type my password to load gpg-agent. This is a nonsolution. I want to type my password to login and be done with it. Everything else, kwallet, ssh-agent and gpg-agent must be able to use this single authentication, no additional password required.
Hmm, it is ssh-add what asks for passphrase, not ssh-agent. It seems to me that one could run ssh-agent as described above and it is ssh-add (or maybe some custom kde clone of ssh-add) what requires kwallet integration.
BTW: I second the voice that kwallet should not require additional password to be opened. Or at least it should give such an option for the less paranoid. Of course the password check should happen (so su - user don't give kwallet access) - just the kdm login routine could open kwallet simultaneously with logging in and using the same password.
hmm, the single-sign-on boils down to something like bug #35396
Created attachment 8819 [details] ssh-askpass program that integrates KWallet If ssh-agent is started (using keychain or whatever), it is fairly trivial to integrate ssh-add with KWallet. I wrote a solution that some of you might want to help me test out? Just compile the attached program (requires the devel versions of KDE and QT, of course) with something like g++ -O2 -I/usr/kde/3.3/include -I/usr/qt/3/include -L /usr/qt/3/lib -L/usr/kde/3.3/lib -lqt-mt -l kdecore -lkwalletclient kde-ssh-askpass.cpp -lkdeui -o kde-ssh-askpass Become root, and install it in the appropriate directory. It's printed when openssh is configured, and it is the same place as sftp-server, ssh-keysign and friends are install. For me (Gentoo) it's /usr/lib/misc: install kde-ssh-askpass /usr/lib/misc/ssh-askpass. Then test it by doing somethinglike echo "no tty for you" | ssh-add (The trick is that ssh-add only uses ssh-askpass if it has no terminal attached) This should pop up a few dialogs: Allow KWallet open, allow ssh-askpass to access the local password folder, and finally the keyphrase. Only the first one should be need to be redone, and only once per KDE session, depending on configuration. Next, install the soon-to-be-attached desktop file in ~/.kde/Autostart, and restart KDE (or start a new session). Test it by opening a console and do ssh-add -l Your keys should be listed. Please tell me how it went (or catch me on Jabber at mesbenh@jabber.dk)
Created attachment 8820 [details] A desktop file for Automatic registering of ssh keys
*** This bug has been confirmed by popular vote. ***
I would like kdm to replace gtk2-ssh-askpass I use it along with the package called keychain under gentoo, it holds my ssh key just fine. I just think it silly to type twice the same passwd. kdm could feed the same process that gtk2-ssh-askpass go through. just my two cents. thanks. also, instead of a no-passwd kwallet, kdm could also TRY to open the kwallet on_login. if the pass is different, the process should not be different than right now. second password dialog for ssh-key, third one for kwallet. if passwd is same, well, dont need to ask 8 times. thank you.
I have this problem in kde4 as well when gtk2-ssh-askpass is installed. It's really annoying as it pop ups all the time when I use konqueror do get an sftp connection for example.
It seems to me there is two issues here. 1. kdm and kdewallet should be integrated so that a user can unlock his wallet with his login pass without having to typing it twice. 2. ssh-askpass needs a kwallet-aware cousin, that will get the passwords for the keys (and should probably install all keys that it has passwords for) from kwallet. Together, these should solve the problem for all KDE applications. Then there is the issue about gtk2-ask-pass, which probably calls for a political solution. Freedesktop.org might be the way to go with that. I imagine some kind of protocol by which an application can achieve access to to a wallet-style feature on the users desktop, irrespective of the flavour of said desktop.
KDM is unmaintained and not used in KDE Plasma 5. SDDM is the login manager used in KDE Plasma 5. If you still have this same issue with SDDM, please file an issue on the SDDM bugtracker (after doing a search for existing issues first!): https://github.com/sddm/sddm/issues/