[SOLVED]ssh key persists across logins - xfce/ssh-agent/pgp-agent

Similar Messages

• [SOLVED] gnome-keyring-daemon not loading SSH key password on login

  I have a SSH key that I use extensively that has a cumbersome password that I prefer not typing when possible. I know that gnome-keyring-daemon is supposed to have the ability to save the SSH key password, unlock the Passwords:logins, and act as an SSH agent; however, that functionality appears to be missing. There's a strong possibility that I broke this trying to get other things working in GNOME.
  Is there a D-Bus or PolicyKit option that I need to change?
  Solution:
  Turns out this is now handled by pam. The password key store would unlock automatically if I used gnome-screensaver but failed to unlock on X startup so I installed GDM.
  Last edited by Yorokobi (2009-10-31 17:04:50)

  More info. I have been able to get gnome-keyring-daemon to ask for and store the password when I first use the SSH key. The dialog box for entering the SSH key password does not have an option to save the password indefinitely (I forget the exact verbiage) and I can't find anything in Seahorse to do the same.

• [solved] XF86AudioRaiseVolume Key not working in XFCE with Toshiba Z30

  Symptoms:
  It is possible to assign an action to XF86AudioRaiseVolume (or XF86AudioLowerVolume) in xfce4-keyboard-settings, but when XF86AudioRaiseVolume is pressed, nothing happens. (Not even failsafe test commands.)
  With xfce4-volumed, the mute-key works, but not XF86AudioRaiseVolume and XF86AudioLowerVolume.
  With volumeicon, the following terminal output is send:
  $ volumeicon
  ** (volumeicon:13084): WARNING **: Binding 'XF86AudioRaiseVolume' failed!
  Failed to bind XF86AudioRaiseVolume
  ** (volumeicon:13084): WARNING **: Binding 'XF86AudioLowerVolume' failed!
  Failed to bind XF86AudioLowerVolume
  ** (volumeicon:13084): WARNING **: Binding 'XF86AudioMute' failed!
  Failed to bind XF86AudioMute
  xev outputs:
  for lower:
  KeymapNotify event, serial 40, synthetic NO, window 0x0,
  keys: 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
  for raise:
  KeymapNotify event, serial 40, synthetic NO, window 0x0,
  keys: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
  Any ideas how to make them work?
  (In Gnome-Shell, they work out of the box.)
  I put this in the Laptop subforum, because with my netbook, all this works. I know, the Desktop Environments Subforum would also been an option.
  Last edited by Carl Karl (2014-10-08 18:26:15)

  OK OK, of course pacman -R xfce4-volumed is not enough, a killall xfce4-volumed is also neccesarry! volumeicon works now, solved.

• Remote login via ssh and public keys

  I'm not exactly a UNIX expert, but I need to be able to remote login to my PowerBook. The problem with enabling ssh is that as soon as I'm on campus, all kinds of nefarious hosts try brute force attempts to crack my password. I've heard that public/private key logins are the answer, and I've managed to get the public key in the right place on my PowerBook (the private key resides on my iPhone, from which I'll be logging in). But I have two questions:
  1) How do I disable logins via user/password?
  2) When I use my private key, I'm asked to enter the password for the key -- ssh isn't properly storing that password. I've checked permissions, but how can I get ssh to store that password, as it should?

  1) In Sharing > Remote Login, do I still need an account listed to be able to use ssh logins with a public key? I ask because currently (i.e. password authentication enabled), when no accounts are listed, login via public key doesn't work. In other words, an account has to be listed for public key logins to work.
  Yes you still need an account name to login to that computer. However you don't need to specify an account in the sharing preferences. You can lock down the security further by limiting which user accounts can login via ssh.
  by default if you don't specify a username when you login it will use the username of the device your logging in from. So to use an alternative login name you would use
  ssh [email protected]
  whereas john can be anyname or your choosing.
  Put another way: if turn off password authentication for ssh in sshd_config, how should Sharing > Remote Login be configured?
  If you turn off password authentication you still need to allow your user account to login via ssh in the sharing preferences or you can allow all.
  2) According to that MacOS X Hints article:
  "Leopard has now a built-in support for SSH authentication with public keys.
  OSX has been able to use ssh public key authentication since day 1 of the beta release of osx. It is not new to leopared it has been around for years.
  Just open Terminal and ssh to your public-key-enabled server. A Keychain window appears, proposing you to enter the pass phrase, and then remembering it in your keychain. "
  I have not used this functionality as I don't use any passwords for ssh logins.
  They're talking about the password associated with the key. But on second thought, that password is being saved on the client, not the server, right?
  I am sure this is the case.

• [solved] gnome-keyring won't save the passphrase for ssh-keys

  Hello,
  I'm trying to use the gnome-keyring to store the passphrases for my ssh-keys in gnome-terminal.
  I started to generate my ssh-keys as described in this article.
  After that I transfered the key via "ssh-copy-id" to my other computer.
  Then I connected to that computer via nautilus and stored the passphrase. Now it is no problem to connect without typing in the passphrase again.
  When I try to connect to that computer via a gnome-terminal ssh asks every time for the passphrase.
  I tried a lot of things, but I can't solve this issue.
  Does anybody got an idea how to tell the gnome-keyring that it should store the passphrase for connections via terminals?
  Any help is appreciated Maybe I just don't see the solution, but I'm still new to ssh.
  Thanks in advance!
  David
  Last edited by senior_spielbergo (2011-08-02 15:01:04)

  Hi alexcriss,
  I tried to open the terminal from the application menu, but it didn't help.
  I searched the forum for "GDM keyring" and I found a few topics dealing with similar problems, but I couldn't find a solution.
  I have forgotten to tell, that when I enter
  ssh-add -L
  it returns
  The agent has no identities.
  Typing
  ssh-add ~/.ssh/id_ecdsa
  returns:
  Enter passphrase for /home/david/.ssh/id_ecdsa:
  Error reading response length from authentication socket.
  Could not add identity: /home/david/.ssh/id_ecdsa
  Maybe this helps to find the error.
  Thanks again,
  David

• SSH Key login not working when added to gpg-agent

  Hello,
  As I use gnupg, I run the gpg-agent. I run it with systemd --user and it works flawlessly. As I already run gpg-agent, I figured I might as well just add my ssh keys to it as well. Therefore I start gpg-agent with --enable-ssh-support. I use my SSH keys a lot and never had any problems with connecting to anything with a simple ssh .... or pushing things to git etc.
  As the SOCKS_AUTH_SSH envvar needs to be set for ssh-add to work, I added this line to my .bashrc
  export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
  Now, adding my SSH Keys with a simple ssh-add seems to work fine (no errors etc).
  However, when I try to connect to a server now, the following happens:
  ssh -vT [email protected]
  OpenSSH_6.8p1, OpenSSL 1.0.2a 19 Mar 2015
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Connecting to XXXXXXXXX port XXXXX.
  debug1: Connection established.
  debug1: identity file /home/XXXXX/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/XXXXX/.ssh/id_rsa-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_6.8
  debug1: Remote protocol version 2.0, remote software version OpenSSH_6.8
  debug1: match: OpenSSH_6.8 pat OpenSSH* compat 0x04000000
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-ctr [email protected] none
  debug1: kex: client->server aes128-ctr [email protected] none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Mw5MTDp91yExgStdoMPMwi2yZdoG9MruOm+6XiC5Vks
  debug1: Host '[XXXXXXX]:XXX' is known and matches the ECDSA host key.
  debug1: Found key in /home/XXXX/.ssh/known_hosts:1
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey
  debug1: Next authentication method: publickey
  debug1: Offering RSA public key: /home/XXXXX/.ssh/id_rsa
  debug1: Server accepts key: pkalg ssh-rsa blen 279
  debug1: No more authentication methods to try.
  Permission denied (publickey).
  Which is very strange as id_rsa is my (ecrypted) private key. I am also prompted to enter the corresponding password when issuing ssh-add.
  What could the problem be in this case? Thanks a lot!!
  Last edited by replax (2015-05-18 19:06:58)

  replax wrote:Well, there is something listed in .gnupg/sshcontrol , I am not sure if it is connected to my own key though. I tried ssh-add -l and it will list my one key, although it is different from the one in sshcontrol. I suspect that that is an issue of presentation though, as ssh-add spews out the SHA256 of my key..
  How could I go about verifying that they key is indeed correct? Shouldn't it be added automatically by ssh-add?
  Thanks a lot!!
  Yes it should be added automatically. I suppose you could try it in a new user just to start fresh and see if it works, at least then you'll have either verified that your steps were correct or incorrect.

• [SOLVED] a problem with gpg-agent and ssh keys

  I'm baffled by a strangle problem:
  My setup is as follows: I use gpg-agent with --enable-ssh-support, so that my ssh keys are handled by it. All was fine (when I ssh'ed to another machine, a pinentry window popped up, asked for a password, and if I entered the correct one, gpg-agent would decrypt its copy of my private ssh key and use it for identification). But: I needed to change my ssh key, and so I generated a new one. Next, I ssh-add'ed it to gpg-agent (one password to decrypt the private key, then twice another password for gpg-agent). I uploaded the public key to a server. The setup should be complete.
  The problem is that when I ssh to a machine, a pinentry window comes up, but it does not accept my password (the one that I entered twice when ssh-add'ing the key). I tried adding with various different passwords (always deleting ~/.gnupg/private-keys-v1.d/*, since 'ssh-add -d ~/.ssh/id_rsa.pub' would not work for some reason - it would not make gpg-agent forget the key), different pinentry programs ( -qt4, -gtk-2, -curses), and still the same problems. Pinentry itself seems to work fine, since if I enter two different things when it asks for a new passphrase for the key, it detects that there's a problem.
  So, can anyone help? What could I try (please don't post just to say that I could/should use ssh-agent, or keychain, or anything else. I have used various things, and I like this setup the most. It worked before, and I would like to find out why it stopped working and how to get it back to speed.)
  Thanks.
  Last edited by bender02 (2010-02-15 09:52:54)

  Thats a known bug with the new gpg version.
  http://lists.gnupg.org/pipermail/gnupg- … 38045.html
  You could use an older version of gpg or use a development version.

• Ssh Keys To Server

  Im trying to set my ssh key to my lion server so I dont need a password to login, anyone have any ideas how to do this in lion?

  I only just realized, that the key stays unlocked across a reboot and that even though I set the keychain up to lock after 5 Minutes and on hibernating. This is just broken. What could I have possible done wrong?

• How do I disable password based login for ssh

  Before upgrading to Mountain Lion I had setup my computer to allow remote login via SSH. Now that I have upgraded I can no longer login to my computer via SSH without specifying a password.  How do I get back to not having to supply a password to login?
  I created a user named `remotepair` and generated a RSA ssh key. I had setup password-less login to this user by adding the public keys of those who login to the ~/.ssh/authorized_keys file and the following settings in /etc/sshd_config
  Protocol 2
  PubkeyAuthentication yes
  PermitRootLogin no
  PasswordAuthentication no
  PermitEmptyPasswords no
  ChallengeResponseAuthentication no
  AllowUsers remotepair
  I also created a question on ServerFault about other issues I have with SSH. I solved the issue by doing a PRAM reset.
  Since my settings are no longer working for password-less login, how do I enable password-less login to my Mountain Lion enable Mac?

  Output for ssh -vvv [email protected]
  OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
  debug1: Reading configuration data /Users/jjasonclark/.ssh/config
  debug1: Reading configuration data /usr/local/Cellar/openssh/5.9p1/etc/ssh_config
  debug2: ssh_connect: needpriv 0
  debug1: Connecting to home.jjasonclark.com [50.47.10.153] port 22.
  debug1: Connection established.
  debug3: Incorrect RSA1 identifier
  debug3: Could not load "/Users/jjasonclark/.ssh/id_rsa" as a RSA1 public key
  debug1: identity file /Users/jjasonclark/.ssh/id_rsa type 1
  debug1: identity file /Users/jjasonclark/.ssh/id_rsa-cert type -1
  debug1: identity file /Users/jjasonclark/.ssh/id_dsa type -1
  debug1: identity file /Users/jjasonclark/.ssh/id_dsa-cert type -1
  debug1: identity file /Users/jjasonclark/.ssh/id_ecdsa type -1
  debug1: identity file /Users/jjasonclark/.ssh/id_ecdsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7
  debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.9
  debug2: fd 3 setting O_NONBLOCK
  debug3: load_hostkeys: loading entries for host "home.jjasonclark.com" from file "/Users/jjasonclark/.ssh/known_hosts"
  debug3: load_hostkeys: found key type RSA in file /Users/jjasonclark/.ssh/known_hosts:20
  debug3: load_hostkeys: loaded 1 keys
  debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-e xchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14
  -sha1,diffie-hellman-group1-sha1
  debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],ecd
  [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
  debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.
  liu.se
  debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.
  liu.se
  debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha
  1-96,hmac-md5-96
  debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha
  1-96,hmac-md5-96
  debug2: kex_parse_kexinit: none,[email protected],zlib
  debug2: kex_parse_kexinit: none,[email protected],zlib
  debug2: kex_parse_kexinit:
  debug2: kex_parse_kexinit:
  debug2: kex_parse_kexinit: first_kex_follows 0
  debug2: kex_parse_kexinit: reserved 0
  debug2: mac_setup: found hmac-md5
  debug1: kex: server->client aes128-ctr hmac-md5 none
  debug2: mac_setup: found hmac-md5
  debug1: kex: client->server aes128-ctr hmac-md5 none
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug2: dh_gen_key: priv key bits set: 125/256
  debug2: bits set: 510/1024
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: Server host key: RSA 80:b1:a1:11:8f:73:3a:bf:29:04:e9:70:18:d8:d5:cd
  debug3: load_hostkeys: loading entries for host "home.jjasonclark.com" from file "/Users/jjasonclark/.ssh/known_hosts"
  debug3: load_hostkeys: found key type RSA in file /Users/jjasonclark/.ssh/known_hosts:20
  debug3: load_hostkeys: loaded 1 keys
  debug3: load_hostkeys: loading entries for host "50.47.10.153" from file "/Users/jjasonclark/.ssh/known_hosts"
  debug3: load_hostkeys: found key type RSA in file /Users/jjasonclark/.ssh/known_hosts:20
  debug3: load_hostkeys: loaded 1 keys
  debug1: Host 'home.jjasonclark.com' is known and matches the RSA host key.
  debug1: Found key in /Users/jjasonclark/.ssh/known_hosts:20
  debug2: bits set: 475/1024
  debug1: ssh_rsa_verify: signature correct
  debug2: kex_derive_keys
  debug2: set_newkeys: mode 1
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug2: set_newkeys: mode 0
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug2: service_accept: ssh-userauth
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug2: key: /Users/jjasonclark/.ssh/id_rsa (0x7fbb53c14d60)
  debug2: key: /Users/jjasonclark/.ssh/github (0x7fbb53c15600)
  debug2: key: /Users/jjasonclark/.ssh/id_dsa (0x0)
  debug2: key: /Users/jjasonclark/.ssh/id_ecdsa (0x0)
  debug1: Authentications that can continue: publickey,password
  debug3: start over, passed a different list publickey,password
  debug3: preferred publickey,keyboard-interactive,password
  debug3: authmethod_lookup publickey
  debug3: remaining preferred: keyboard-interactive,password
  debug3: authmethod_is_enabled publickey
  debug1: Next authentication method: publickey
  debug1: Offering RSA public key: /Users/jjasonclark/.ssh/id_rsa
  debug3: send_pubkey_test
  debug2: we sent a publickey packet, wait for reply
  debug1: Authentications that can continue: publickey,password
  debug1: Offering RSA public key: /Users/jjasonclark/.ssh/github
  debug3: send_pubkey_test
  debug2: we sent a publickey packet, wait for reply
  debug1: Authentications that can continue: publickey,password
  debug1: Trying private key: /Users/jjasonclark/.ssh/id_dsa
  debug3: no such identity: /Users/jjasonclark/.ssh/id_dsa
  debug1: Trying private key: /Users/jjasonclark/.ssh/id_ecdsa
  debug3: no such identity: /Users/jjasonclark/.ssh/id_ecdsa
  debug2: we did not send a packet, disable method
  debug3: authmethod_lookup password
  debug3: remaining preferred: ,password
  debug3: authmethod_is_enabled password
  debug1: Next authentication method: password
  [email protected]'s password:

• Sender sFTP Adapter - SSH Key

  Hi All,
  I have a small doubt regarding Sender sFTP Adapter. This is what we have done to connect with one of Vendor
  1.     Basis created a SSH key in NWA for Vendor and sent to them.
  2.     They linked the SSH key with user name and asked me to use the same.
  3.     We got the firewalls openepd b/w PI and Vendor
  4.     I provided the same detail in sFTP adapter, but I am not able to connect,
  I am getting below error:
  Error: Cannot connect to SFTP server. Host=########, port=22, username=#####. Private key store=########, private key alias=piPKCS12. Timeout=300000 msecs. Absolute home directory=.: KeyStoreException in Method: getPrivateKey( KeyStore, String, String ). The requested keystore type is not available in the default provider package or any of the other provider packages that were searched. (Software version: 3.0.14.2)
  Please provide your inputs.
  Regards,
  Sachin Dhingra

  Hi,
  The first thing you have to do is use the same userid and the pwd and try to connect to the vendor system from your application layer and see if this is connecting or not. If there is a problem in connection then there are few steps that you have to follow. Below are the steps you need to follow:
  1. Open the port from your Vendor side as well as open the port from your XI system(there might be two ports)
  2. Generate the key of your vendor system and one you started login to the system then it will ask to instal the key , so acept it.
  the IS people can help you out over here.
  3. Try to push the one dummy file in that location manually using the command in application layer.
  4. check the authorization in the target directory and try to provide the proper authorization,, 777 is used for full authorization.
  5. use the same useid and the pwd and then try from your xi system processign a dummy file.
  hope this helps.
  cheers,
  jay

• Too many ssh keys?

  Lately, I'm experiencing a weird issue with SSH. I have 15 keypairs for various machines that I connect to for administration or other work. When trying to login to a server SSH will fail after it presents 3 incorrect keys to the server. This number can be increased on the server side but it would be better to ensure that the correct key is presented to the server.
  In the past I was able to setup a config file to specify which keys should be used for each host and thus have it try only the appropriate keys for each host. This config file is still in place but lately it seems as though SSH ignores this file some times. As to the pattern of when it ignores the file I have not been able to determine it.
  I have been able to force things to work by specifying the keys directly with the "-i" switch or by unloading unnecessary keys with "ssh-add -d" prior to logging in.
  Has anyone experienced this or similar issues under Leopard with SSH?

  This may be an unrelated coincidence, but I read a comic today whose author mentioned that his ssh key was black listed as result of some security update (hover over the comic to see the author's comment or view source):
  http://xkcd.com/424/
  Cole

• Unable to create ssh key

  Hi all,
  I'm having trouble creating an ssh key in the Terminal on Snow Leopard.  Here are the steps I follow:
  $ ssh-keygen -t rsa
  Generating public/private rsa key pair.
  Enter file in which to save the key (/Users/.../.ssh/id_rsa): (I hit enter)
  /Users/.../.ssh/id_rsa already exists.
  Overwrite (y/n)? y
  Enter passphrase (empty for no passphrase):
  Enter same passphrase again:
  (And then I see this message:)
  open /Users/.../.ssh/id_rsa failed: Is a directory.
  Saving the key failed: /Users/.../.ssh/id_rsa.
  How can I bypass this error?  I thought maybe the problem is that I have a previous keypair, but if so I followed the steps outlined in http://help.github.com/mac-set-up-git/ to remove the old pair before generating the new one, and I still get the same error message. 
  Any help would be greatly appreciated.
  T

  I actually fixed the problem, if anyone else comes across it: if facing this issue, when backing up and removing existing ssh keys before generating new ones, the command should be
  $ cp -R id_rsa* key_backup
  (Add the -R to the line in the GitHub instructions.)

• Ssh keys and gnupg keys from wiki instructions...

  following first the gnupg instructions and then ssh keys I've managed to get several instances of gpg-agent running.
  [root@frylock ~]# ps aux | grep agent
  root 2764 0.0 0.0 4208 432 ? Ss 11:15 0:00 ssh-agent
  xtian 2785 0.0 0.1 3500 972 ? Ss 11:18 0:00
  gpg-agent -s --enable-ssh-support --daemon
  --write-env-file /home/frylock/xtian/.gnupg/gpg-agent.env
  root 2958 0.0 0.0 3168 688 ? Ss 11:39 0:00
  gpg-agent -s --enable-ssh-support --daemon
  --write-env-file /root/.gnupg/gpg-agent.env
  root 3036 0.0 0.0 4740 392 ? Ss 11:43 0:00 gpg-agent --daemon
  root 3186 0.0 0.0 4740 388 ? Ss 11:53 0:00 gpg-agent --daemon
  root 3299 0.0 0.0 4740 388 ? Ss 11:58 0:00 gpg-agent --daemon
  root 3549 0.0 0.0 4740 392 ? Ss 12:54 0:00 gpg-agent --daemon
  This I can resolve by going back over the instructions--a fifth time. But what I don't understand, why my user account owner of a running process when I'm only logged in one tty as root?
  //EDIT: Clarify the login scenario
  // EDIT: the code block is cutting off line
  Last edited by xtian (2013-09-07 14:20:00)

  xtian wrote:
  cfr wrote:For example, I don't include the code in ~/.xinitrc or in /etc/profile.d precisely because I'm starting the agent somewhere else.
  That's just it. I'm not starting it somewhere else. According to the wiki, its being called from .xinitrc and that's where the call is made to the script in profile.d, I think. Unless the script in /etc/profile.d is starting the script automatically?? I don't know.
  Yes. The script you have in /etc/profile.d will start it automatically. I have a similar script in /etc/kde/env and that is all I use. I don't need anything in ~/.xinitrc (or kde's autostart stuff or whatever).  At least, this is true provided those scripts are sourced. What you definitely do not want is the line you currently have in ~/.xinitrc which does not check to see if an instance of gpg-agent is already running.
  This is what I use:
  $ cat /etc/kde/env/gpg-agent-startup.sh
  #!/bin/sh
  # see https://wiki.archlinux.org/index.php/SSH_Keys
  GPG_AGENT=/usr/bin/gpg-agent
  ## Run gpg-agent only if not already running, and available
  if [ -x "${GPG_AGENT}" ] ; then
  # check validity of GPG_SOCKET (in case of session crash)
  GPG_AGENT_INFO_FILE=${HOME}/.gpg-agent-info
  if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
  GPG_AGENT_PID=`cat ${GPG_AGENT_INFO_FILE} | grep GPG_AGENT_INFO | cut -f2 -d:`
  GPG_PID_NAME=`cat /proc/${GPG_AGENT_PID}/comm`
  if [ ! "x${GPG_PID_NAME}" = "xgpg-agent" ]; then
  rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
  else
  GPG_SOCKET=`cat "${GPG_AGENT_INFO_FILE}" | grep GPG_AGENT_INFO | cut -f1 -d: | cut -f2 -d=`
  if ! test -S "${GPG_SOCKET}" -a -O "${GPG_SOCKET}" ; then
  rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
  fi
  fi
  unset GPG_AGENT_PID GPG_SOCKET GPG_PID_NAME SSH_AUTH_SOCK
  fi
  if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
  eval "$(cat "${GPG_AGENT_INFO_FILE}")"
  eval "$(cut -d= -f 1 "${GPG_AGENT_INFO_FILE}" | xargs echo export)"
  export GPG_TTY=$(tty)
  else
  eval "$(${GPG_AGENT} -s --enable-ssh-support --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file)"
  fi
  fi
  In any case, your script should check for the environment file and only start an instance of the agent if it doesn't exist.
  I'ts not my script. I'm not up on BASH scripts. This one is from the wiki page. Isn't this script checking just that in this IF clause:
  if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
  eval "$(cat "$envfile")"
  Yes. But the line you have in ~/.xinitrc does NOT check this. It just starts an instance of gpg-agent as a daemon.

• [new] keychain [ssh-keys manager]

  PKGBUILD
  pkgname=keychain
  pkgver=2.4.2.1
  pkgrel=1
  pkgdesc="A ssh-keys manager"
  url="http://www.gentoo.org/proj/en/keychain/index.xml"
  license="GPL"
  depends=('bash')
  source=(http://dev.gentoo.org/~agriffis/keychain/$pkgname-$pkgver.tar.bz2)
  md5sums=('38d851edf4e1fae518d763e835b9dc43')
  build() {
  cd $startdir/src/$pkgname-$pkgver
  mkdir -p $startdir/pkg/usr/bin
  install -m0755 keychain $startdir/pkg/usr/bin/keychain
  Read my wiki entry to ssh-keys and you know what it's used for
  http://wiki.archlinux.org/index.php/using%20SSH-keys
  EDIT:
  it's in STAGING now so you can get it from there

  I only just realized, that the key stays unlocked across a reboot and that even though I set the keychain up to lock after 5 Minutes and on hibernating. This is just broken. What could I have possible done wrong?

• DS 6.3 ssh key and password expiration warnings

  I suspect this may be more of an ssh issue than a DS issue, but has anyone managed a configuration that will give users logging in with ssh keys, password expiration or reset warnings?
  In my setup, using compat mode in nsswitch.conf, native ldap logins work as expected for users entering their password. - That is, they are forced to change the password after an admin reset, receive "your password will expire" warnings, based on the expiration period set in DS (password policies in DS 6 mode, migrated from DS 5.2), etc.
  If a user has an ssh authorized_key entry, they can login without a password, as long as their password is not expired, or been reset by an admin. They are never shown the warning messages, but are allowed to connect, and then immediately logged off, if their password has expired, passed the number of grace logins, or been reset.
  The user can only login if they start from a different username and bypass the ssh key check.
  Hope this makes sense.

  After running various debug modes, I'm beginning to believe that the Directory Server may only issue the warning messages if a password has been typed, and validated in the directory. Since no password is enered when using an ssh key, the warnings aren't triggered.