gnome-keyring and SSH private key passphrases

Django [BOfH] · 2026-03-25 20:06:47

HI,

So, if I’m being honest, when I switched from Fedora—which I’d been using for a good 25 years—to Arch, I was a bit taken aback by the freedom Arch offers to install and configure absolutely everything to my own specifications. But now I much prefer the concept behind Arch; it allows me to set up and build my system exactly to meet the requirements of my home lab.

Enough of the preamble—here’s what I’m getting at. As you know, I’m a bit paranoid when it comes to security and confidentiality. So all user-related keys or certificates have a corresponding passphrase, which I require users to provide whenever I want to use them, for example, to decrypt messages or access remote systems via Secure Shell. That means the SSH agent should ask me for the passphrase or the Nitrokey PIN EVERY TIME I want to establish a connection, unless I do so within x minutes or after intentionally killing the SSH agent process. That’s what I’ve been used to for the past few decades, and now I’m a bit confused. Why on earth isn’t the SSH agent asking me for the passphrase or the PIN of the security token?

The culprit here is gnome.keyring in conjunction with gcr-4. Uninstalling both packages isn't really a good idea, since there are countless dependencies with other packages. So I thought, “Okay, then I'll just install the seahorse package and delete all the SSH keys there.” But I rejoiced too soon; I’m still not being asked for the SSH key passphrase. Moving them out of the subdirectory doesn’t seem to faze these systems either. As soon as I log in to my Cinnamon desktop, I can access anything with an “SSH DESTINATION HOST.” But I don’t want it to be like this, so my question is: who on earth came up with this mess? Did I end up on Ubuntu here, or is it Arch after all? And the real question now is: how do I get rid of this plague? Where and how the hell do I teach the client workstations to stop using private key material WITHOUT prompting for passphrases?

I'd appreciate any tips or guidance!

ttyl
BC

mithrial · 2026-03-25 20:22:09

Welcome at arch. For me personally, I had the exact opposite experience coming from another distribution. I fought for days to finally have my passphrases in the keyring to automatisch unlock during login.

Which passwords to you want to enter manually? Only ssh? Or also PGP and he ones in your browser?

For ssh, you could disable the gcr 4 user service. Or if you enter your passphrase, don't click on "save in keyring".

The archwiki is really helpful for the opposite directly, but I trust that you can follow the gist and reverse the ideas to explicitly disable ssh-agents.

Django [BOfH] · 2026-03-25 21:16:04

HI,

mithrial wrote:

Which passwords to you want to enter manually? Only ssh? Or also PGP and he ones in your browser?

Whether it's SSH, PGP, or S/MIME, whenever I want to use the private key, I want to be prompted for it—unless I access the key within, say, 3 minutes, in which case that part can stay in RAM as far as I'm concerned, preferably within a separately protected area.

For ssh, you could disable the gcr 4 user service. Or if you enter your passphrase, don't click on "save in keyring".

It won't work.

$ systemctl --user status gcr-ssh-agent.{service,socket}

○ gcr-ssh-agent.service - GCR ssh-agent wrapper
     Loaded: loaded (/usr/lib/systemd/user/gcr-ssh-agent.service; disabled; preset: enabled)
     Active: inactive (dead)
TriggeredBy: ○ gcr-ssh-agent.socket

○ gcr-ssh-agent.socket - GCR ssh-agent wrapper
     Loaded: loaded (/usr/lib/systemd/user/gcr-ssh-agent.socket; disabled; preset: enabled)
     Active: inactive (dead)
   Triggers: ● gcr-ssh-agent.service
     Listen: /run/user/1000/gcr/ssh (Stream)

The archwiki is really helpful for the opposite directly, but I trust that you can follow the gist and reverse the ideas to explicitly disable ssh-agents.

Unfortunately, the Arch-WIKI pages are only of limited help here.

seth · 2026-03-25 22:12:02

https://wiki.archlinux.org/title/GNOME/ … #Disabling
Are you sure gcr is acting as SSH_AGENT here at all?

printenv |grep SSH

https://wiki.archlinux.org/title/SSH_keys#SSH_agents

Uninstalling both packages isn't really a good idea, since there are countless dependencies with other packages.

Not on my system
You could still try to remove gcr-4 (and gnome-keyring), ignoring the deps (-Rdd) and tolerating that it might break one or two things just to make sure that it's actually what's caching your SSH keys right now.

topcat01 · 2026-03-26 20:40:08

I found that both the gpg and gcr implementations are much slower than ssh-agent. There is a noticeable delay whereas ssh-agent is instantaneous. One of my workflows where this is a problem is rebasing a long git commit history. We use ssh based signatures to sign commits, and this takes ages along with high cpu usage when using the other wrappers. ssh-agent is instant, with no visible cpu usage. For this reason I stopped using them.

Arch Linux

#1 2026-03-25 20:06:47

gnome-keyring and SSH private key passphrases

#2 2026-03-25 20:22:09

Re: gnome-keyring and SSH private key passphrases

#3 2026-03-25 21:16:04

Re: gnome-keyring and SSH private key passphrases

#4 2026-03-25 22:12:02

Re: gnome-keyring and SSH private key passphrases

#5 2026-03-26 20:40:08

Re: gnome-keyring and SSH private key passphrases

Board footer