How to replace Gnome Keyring SSH agent?

Hello,

I’m trying to use Bitwarden as my SSH agent on Bluefin, but I’m encountering an issue with Gnome Keyring’s SSH agent, which currently holds that role.

The problem is that Gnome Keyring aggressively sets the SSH_AUTH_SOCK environment variable to its own socket. I’ve attempted to override this using a configuration file in .config/environment.d, but it appears Keyring’s PAM module takes precedence. While I can manually add the SSH_AUTH_SOCK variable to my shell’s profile, this solution doesn’t extend to GUI applications.

Could anyone recommend the best method to either disable Gnome Keyring’s SSH agent specifically, or at least globally set the SSH_AUTH_SOCK to a different socket for the entire user session?

It’s important to note that I do not want to disable Gnome Keyring entirely, as I still rely on it for secret management. My goal is solely to prevent it from acting as an SSH agent.

Thanks in advance for any assistance!

Just a guess, but can you use flatseal to override the env var in the explicit apps where you need the Bitwarden sock setting?

Probably just a more targeted hack, but thought it would be worth mentioning.

I think your goal is the right one. I just don’t know enough about Gnome Keyring to comment on how to disable its SSH Agent role.

I didn’t know you could do that with flatseal. I will keep it in mind. Thank you.

But indeed, it is only a stop-gap measure. Hopefully someone will know how to replace keyring’s ssh agent properly.

I think I found a solution. I am not 100% sure that it works in Bluefin because I distrohoppend to Aeon Desktop, but I was faced with the same dilema there I think the solution should also work in Bluefin.

Gnome uses the XDG autostart to launch keyring. To prevent it you need to override it.

First copy the system .desktop file to your user’s autostart.

cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/

Now we can disable it by marking it as hidden. For that just add Hidden=true to the file.

echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-ssh.desktop

Done! Now you can freely set the SSH_AUTH_SOCK variable. The recommended method to do this is .config/environment.d.

Hope it works!

P.D.: Gnome 50 should shy away of this whole desktop files conundrum in favor of systemd services. When the time comes, systemctl --user disable --now gcr-ssh-agent.socket gcr-ssh-agent.service should do the trick.

3 Likes

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.