gnome bloat breaks ssh

[pixel fairy]

gnome-keyring runs in template VMs, breaking ssh on newer keys. see

https://ask.fedoraproject.org/en/question/92448/how-do-i-get-proper-ssh-agent-functionality-in-gnome/

and 

https://eklitzke.org/using-ssh-agent-and-ed25519-keys-on-gnome

it seems silly to me to even be running all that background stuff. can we do without it? maybe a simple x session just running qubes window manager and ssh-agent?

[Jean-Philippe Ouellet]

On Wed, Oct 12, 2016 at 8:21 AM, pixel fairy <pixel...@gmail.com> wrote:
> gnome-keyring runs in template VMs, breaking ssh on newer keys. see

(Sorry for duplicate reply, 1st email forgot to CC the list)

relevant: https://github.com/QubesOS/qubes-issues/issues/2351

As best I can gather, gnome-keyring is currently being hard-coded to
autostart because it is perceived as a dependency of nm-applet:
https://github.com/QubesOS/qubes-gui-agent-linux/blob/master/appvm-scripts/usrbin/qubes-session#L43-L45

That said... I am running without gnome-keyring and nm-applet still
works fine... so... ¯\_(ツ)_/¯

[pixel fairy]

On Wednesday, October 12, 2016 at 12:27:28 PM UTC-4, Jean-Philippe Ouellet wrote:

On Wed, Oct 12, 2016 at 8:21 AM, pixel fairy <pixel...@gmail.com> wrote:
> gnome-keyring runs in template VMs, breaking ssh on newer keys. see  

...

That said... I am running without gnome-keyring and nm-applet still
works fine... so... ¯\_(ツ)_/¯

how did you disable it? just comment it out in your template? do you have ssh-agent working?

[Jean-Philippe Ouellet]

On Wed, Oct 12, 2016 at 11:18 PM, pixel fairy <pixel...@gmail.com> wrote:
> how did you disable it? just comment it out in your template?

Yes. And remove the xdg-autostart entry for it too.

> do you have ssh-agent working?

Yes. I am starting it via xdg-autostart using a wrapper which writes
the reported SSH_{AUTH_SOCK,AGENT_PID} env vars to
/tmp/qubes-session-env, which then gets sourced on shell init by
/etc/profile.d/qubes-session.sh.

[pixel fairy]

i was going to ask for your scripts, but, why not pull request it? just change the call to gnome-keyring-daemon to leave out ssh and gpg (for sake of the split-gpg thing)

[Jean-Philippe Ouellet]

On Thu, Oct 13, 2016 at 12:18 AM, pixel fairy <pixel...@gmail.com> wrote:
> i was going to ask for your scripts, but, why not pull request it? just
> change the call to gnome-keyring-daemon to leave out ssh and gpg (for sake
> of the split-gpg thing)

See
https://github.com/QubesOS/qubes-issues/issues/2351#issuecomment-251553023
and
https://github.com/jpouellet/qubes-gui-agent-linux/commit/e0d8bf974dbb340a7db6674ed6b9d8cb82c8a0bc

But I still don't understand the interactions of all relevant
components well enough to be confident I'm not breaking things for
other people.

I like to know what I'm doing before trying to upstream stuff. I'm
slowly reading my way through the qubes docs, various
design/architecture rationale threads, and the implementations of
various qubes subsystems, but free time remains eternally scarcer than
one might wish ;)

[pixel fairy]

Im glad you did as much as you did. i applied your patch, but instead of deleting the call to gnome-keyring, i just added "--components=secrets,pkcs11" to make it ignore ssh. just did it, just rebooted some qubes, sshed using the ssh agent with an ed25519 key to make sure it all works.