Unable to disable the ssh module of gnome-keyring

I confirm this regression in behaviour. It would be very nice to see this fixed, because the ssh module of gnome-keyring has reliability issues (sporadically failing to sign, or even killing the entire gnome-keyring-daemon, when I run a script concurrently executing many ssh commands).

The following message appears (repeated three times) in /var/log/authpriv.log:

gnome-keyring-daemon: couldn't lookup keyring component setting: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gnome.org/projects/gconf/ for information. (Details - 1: Failed to get connection to session: dbus-launch failed to autolaunch D-Bus session: No protocol specified
Autolaunch error: X11 initialization failed.
)

Setting Status=Confirmed (two reporters, plus log message pinpointing likely problem)

Correction, I meant /var/log/auth.log not /var/log/authpriv.log above.

Further investigation reveals that between 2.22 and 2.24, gconfd grew a dependency on dbus.... which clearly isn't running when gdm is invoking PAM functions. Argh. This could be complex.

I can confirm this bug on a vanilla 8.10 install. I see the same error repeated 3 times after each reboot:

Nov 5 10:45:41 dworkin gdm[4869]: gnome-keyring-daemon: couldn't lookup keyring component setting: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gnome.org/projects/gconf/ for information. (Details - 1: Failed to get connection to session: dbus-launch failed to autolaunch D-Bus session: No protocol specified

This is a problem on several levels, and I'd probably prefer to get gkr to stop dealing with ssh keys entirely. If anyone knows of a work around that would make that happen I'd love to see that here.

Is there a way to simply turn off gnome-keyring-daemon? If I did that, what else would break? I can't find it in 8.10's "services" management UI, so I don't know if a typical user can shut it down without some sort of nasty issues cropping up.

But, shutting it down might get me past the silly popup window asking for my passphrase, and let me just enter it into the terminal, where it should be done.

As a workaround for myself I've built a version of the gnome-keyring package that is compiled without ssh support and so it doesn't act as a SSH agent...

I've attached a debdiff which will do the above, you just need to build the package, alternatively, i've submitted the package to my PPA and you can grab it from there (once it's been built by the PPA system).

This may or may not be the way Ubuntu wants to deal with this bug so i'm posting this purely as a workaround, although one could argue gnome-keyring-daemon isn't mature enough to be a ssh-agent since it doesn't handle -c / -t options to ssh-add. (LP: #209447)

Dev-note: The debdiff (patch file) change to Makefile.in might seem odd but it wouldn't build without that change since it was still depending on libgkr-ssh.la which wasn't going to be built and I'm not really a Makefile kinda guy so I just made it always compile libgkr-ssh.la so it'd at least build (this is quite possibly a separate bug for the gnome guys)...

Here is a workaround that can be enacted purely using non-root config:

1. Add the line "unset SSH_AUTH_SOCK" to ~/.xsessionrc (creating it if it doesn't exist).
2. Run gnome-session-properties and untick "GNOME Keyring Daemon Wrapper".

The first makes /etc/X11/Xsession.d/90x11-common_ssh-agent not decide that it should not start since there is already an existing agent. The second stops the g-k-r envvars being reinjected into the X session at a later point in startup.

This workaround does not work with current Intrepid.

The daemon is still there.

I had to install Kenny's packages.

I'm using the workaround I posted on current Intrepid right now. It works fine at leaving you using an actual ssh-agent.

As for "The daemon is still there.", well yes, nothing in the workaround stops it running, it just stops it preempting the actual ssh-agent.

I, also, am running Max's workaround. The odd thing is that even if you do what he suggests in gnome-session-properties, you'll still see the Gnome keyring wrapper daemon running on the machine. However, it will stop messing with ssh keys, and the standard ssh-agent commands will then work to let you manipulate keys in the usual way because ssh-agent is running.

The GUI lead me to believe I was turning off the Gnome keyring wrapper daemon, but apparently that isn't what it really does.

So much for truth in advertising. Or something. :)

Jeff, are you seeing gnome-keyring-daemon running (expected) or gnome-keyring-daemon-wrapper running (not expected, and not running for me) ?

Max, good question. Right now, on the computer in question, I see only the daemon. Not the wrapper. What I saw back in mid-November (when I first tried your workaround) I can't say. I probably had only the daemon itself running at that time as well, but who knows.

8.10 hasn't been nearly stable enough for me to avoid reboots in the interim. At least 2 kernel updates and 3 or 4 issues of a black screen in X (when coming back after the screen saver has been invoked) that won't go away and require a reboot, etc. I wish my Ubuntu experience had been a smooth one, but it's been really rocky. I've got other issues as well that I won't bother to detail here.

Anyway, to answer you, it appears the keyring is running, which is apparently the right thing, so disregard my comment.

gnome-keyring bugs may be the root cause of the openssh bug 302252 that I reported last week.

I clobbered several Subversion source code repositories that I access via svn+ssh.

I can manually kill gnome-keyring-daemon to work around.
Wish ssh-agent was still the default :^(

On 12/03/2008 02:56 PM, Max Bowsher wrote:
> I'm using the workaround I posted on current Intrepid right now. It
> works fine at leaving you using an actual ssh-agent.
>
> As for "The daemon is still there.", well yes, nothing in the workaround
> stops it running, it just stops it preempting the actual ssh-agent.
>

Maybe it's because I'm running failsafe gnome session?

--
Cyril Bouthors

I have a related question. In Ubuntu 8.04, Max's workaround doesn't work. (My initial problem was with 8.10, I know.) Max said:

1. Add the line "unset SSH_AUTH_SOCK" to ~/.xsessionrc (creating it if it doesn't exist).
2. Run gnome-session-properties and untick "GNOME Keyring Daemon Wrapper".

But in 8.04, there is no "GNOME Keyring Daemon Wrapper" choice in gnome-session-properties.

What I want to do is get gnome-keyring-daemon out of the loop entirely. Don't ask for my ssh passphrase in a dialog window, just let it be entered on the command line. I'll use "ssh-add -D" when I'm done to get things out of memory.

Is there some way to get gnome-keyring to stop acting as an ssh-agent (or whatever it's doing) in 8.04 and instead just let the real ssh-agent do it's thing?

Thanks much.

Jeff,

"""
Launch gconf-editor, apps/gnome-keyring/daemon-components, uncheck ssh.
Restart X. ssh-agent should start.
"""

- http://bugzilla.gnome.org/show_bug.cgi?id=525574

Thanks much, Kenny. That did the trick.

I wish I knew were all this documentation existed. I'd never heard of gconf-editor. Seems like a tool that fundamental should be right on the ubuntu menus somewhere, but I can't find it there.

Anyway, it works. Thanks again.

--jeffp

the issue has been fixed upstream now

This is fixed in jaunty now. Thanks for reporting.