Mate Desktop and SSH Agent, without Gnome keyring

For a long time, I used i3 as window manager. It was fine as I like stripped down environment. However, I missed some features of my Gnome 2 experience. Thus I moved to Mate and easily configured it to match my minimalistic needs. All was perfect and I was happy with it, until I realize something was really bothering me: even with all the known methods to disable Gnome keyring autostart, it keeps launching when my session starts. This behavior leads to very nasty bugs, like breaking Emacs tramp or continually bothering me to enter my passphrase.

I finally found a working solution in the Mate Session Manager issues traker. So for all other people, who goes mad because of this, here is the definitive guide to definitely shut Gnome keyring down.

SSH-Agent configuration

First, you need to configure your OpenSSH SSH agent. Nothing specific here, we just need to add a systemd service file for our current user, in order to automatically start the SSH agent when our session starts. I use the following file:

[Unit]
Description=SSH key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target

You must save it in \~/.config/systemd/user/ssh-agent.service. Then enter systemctl --user enable ssh-agent in your console to active it at startup.

The important point here is the line Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket, where I inform systemd to launch the ssh-agent with the environment variable set to the rather cryptic %t/ssh-agent.socket. The %t placeholder will expand to the runtime directory root, that is to say /run/user/UID/. In my case /run/user/1000/ssh-agent.socket. So, when ssh-agent will start, it will create a socket in this place.

To inform your desktop environment (and other programs, like Emacs), you must add this environment variable either in your \~/.profile file (if you'll use only TTY terminals) or, more surely in your \~/.pam_environment file. No other variable are available in that file, thus you must be explicit when setting the SSH_AUTH_SOCK variable. And yes there is a space between the variable name and DEFAULT. My own \~/.pam_environment file looks like:

SSH_AUTH_SOCK DEFAULT="/run/user/1000/ssh-agent.socket"

Disabling Gnome Keyring

Now that ssh-agent will start just fine, we need to disable the SSH component of Gnome Keyring.

The first step is to "officially" asking it to don't start. You must copy the default .desktop autostart file in your home folder to customize it. Then append two magic lines to it to remove it from the Startup Application configuration dialog (the Hidden=True directive) and disable it for Mate desktop only (the X-MATE-Autostart-enabled=false directive):

cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/
echo 'Hidden=True' >> ~/.config/autostart/gnome-keyring-ssh.desktop
echo 'X-MATE-Autostart-enabled=false' >> ~/.config/autostart/gnome-keyring-ssh.desktop

We now arrive to the core of the problem. The previous operation should have been sufficient, but there still exists a weird bug, which will spawn Gnome Keyring SSH agent each time you start your session.

To completely deactivate it, you must remove the 'keyring' component from the gnome-compat-startup option in Gsettings. As this key holds an array value, the better way to do it is to use the dconf-editor application. Once you open it, browse to org, then mate, desktop, and finally session. You should find the gnome-compat-startup in there. Click on it, unset the "Use default value" switch and remove 'keyring' from the text field bellow. Take attention to remove the next comma. In my case, the field now contains only ['smproxy'].

That's all, you can now enjoy a keyring-free desktop :)

Sources

Comments

N'hésitez pas à réagir en m'envoyant un email, qui sera publié ci-dessous sous la forme d'un commentaire.