Does gnome-keyring
support SSH private keys that are saved in the newer OpenSSH file format? Will Gnome Keyring automatically import those private keys?
In more detail: When generating a SSH private key, ssh-keygen
can save the private key in the newer OpenSSH format (rather than the "more compatible PEM format"). With this format, the private key file begins with "-----BEGIN OPENSSH PRIVATE KEY-----
".
I just generated a new RSA private key for SSH and saved it in the newer format, using ssh-keygen -t rsa -b 3072 -o -a 16
. Now Gnome Keyring doesn't seem to be able to load that private key. In contrast, everything seems to work fine when using ssh-agent
.
When using Gnome Keyring with this new private key, I see the following error messages in /var/log/messages
:
gnome-keyring-daemon[10904]: invalid or unrecognized private SSH key: [key id]
gnome-keyring-daemon[10904]: signing of the data failed: The operation failed
and when I try to run ssh
, I see the following error message in my terminal:
sign_and_send_pubkey: signing failed: agent refused operation
If it's relevant, I'm using Fedora 25 with MATE, with gnome-keyring-3.20.0-1.fc25.x86_64
.
Best Answer
Things have changed slightly now. As a result GNOME 3.28 now wraps OpenSSH's ssh-agent, which gives it the same level of support as OpenSSH.
Reference - Archlinux wiki - GNOME/KeyringIf you still find that you're behind this particular version this Gist shows how you can use
keychain
to workaround this issue, titled: SSH with ed25519 (curve25519) + GNOME-KeyRing.References