Tumbleweed Plasma Autoload SSH Keys?

joba1 · October 23, 2025, 4:54pm

Hi,

I broke my gnome environment with the last zypper dup and now switched to plasma.

(Some context: Tumbleweed spiraling down... Repair display manager?)

I often connect to remote servers with ssh public key authentication and on gnome I did not have to give my passphrase for that. Some automatic mechanism loaded the keys for me.

On Plasma/Wayland that doesn’t work:

After reboot, an ssh command asks for the passphrase on the terminal. ssh-add says there is no ssh-agent running.
If I log out of plasma, start a gnome session and immediately close it and start a plasma session again, then start ssh, a gui asks for my passphrase.
If I login to a gnome session after reboot and do a remote login with ssh, no ssh passphrase is needed. If I log out and login with plasma now, there is also no passphrase required anymore.

It seems gnome does all the right things in background (start agent, load passphrase protected keys) and even shares this with later plasma sessions.

Shouldn’t this work out of the box just with plasma?
What is the proper way to set this up now?

I guess it has something to do with kwallet and pam and ssh-agent (or gpg-agent, I also use gpg keys) but am not familiar enough with plasma to figure it out yet

nrickert · October 23, 2025, 5:16pm

You can put a shell script in:

.config/plasma-workspace/env

to start ssh-agent. Maybe the command:

eval `ssh-agent -s`

would work for you.

joba1 · October 23, 2025, 5:24pm

ok thank you! That solves starting the agent. But how are the keys loaded?

I now have this script instead:

joachim@job5:~> cat ~/.config/plasma-workspace/env/start-ssh-agent.sh 
#!/bin/sh
SSH_ASKPASS=/usr/libexec/ssh/ksshaskpass
export SSH_ASKPASS
[ -n "$SSH_AGENT_PID" ] || eval "$(ssh-agent -s)"

with that the agent is loaded (I guess I can later change to gpg-agent).
But there are no keys loaded and ksshaskpass is not used if I start ssh on the command line.
SSH_ASKPASS is set and running ksshaskpass manually will ask for a passphrase. Something is missing to automate that

nrickert · October 23, 2025, 5:40pm

There are options for the “ssh” command, that you can put in “.ssh/config”, so that $SSH_ASKPASS is automatically called as needed.

I don’t have the details, because I do things differently. But you can probably work it out using

man ssh
man ssh_config

nrickert · October 23, 2025, 5:56pm

Alternatively, you can use a shell script, with commands like

ssh-add /path/to/key < /dev/null

Use multiple commands to load multiple keys. Put that script in a standard place (I use “$HOME/bin”). And then create an autostart entry to run that on startup. There should be an autostart option in the settings GUI.

joba1 · October 23, 2025, 5:57pm

Not using .ssh/config but finally collected enough search terms to find this:

Needed to add this file to what I had:

joachim@job5:~> cat ~/.config/autostart/ssh-add.desktop
[Desktop Entry]
Exec=ssh-add -q
Icon=dialog-scripts
Name=ssh-add.sh
Type=Application
X-KDE-AutostartScript=true

After first reboot ksshaskpass asks for my passphrase. Select option to store it.
After second reboot: no more questions. Agent and keys are loaded with passphrase from kwallet.

joba1 · October 23, 2025, 6:24pm

I remember at some point gpg-agent was a dropin replacement for ssh-agent and also handled gpg keys. Very handy, but it seems like that fell apart at some point. I tried this more current internet receipt but it doesn’t work as well:

in above ~/.config/plasma-workspace/env/start-ssh-agent.sh replace

[ -n "$SSH_AGENT_PID" ] || eval "$(ssh-agent -s)"

with

export GPG_TTY="$(tty)" 
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" 
gpg-connect-agent updatestartuptty /bye > /dev/null

Ideas?

nrickert · October 23, 2025, 8:52pm

I have used gpg-agent this way in the past. But it was a long time ago. I don’t have recent experience with it.