Storing SSH Key Passphrases on Kubuntu

November 29, 2018
Kubuntu KDE Ubuntu SSH

TL;DR

Storing your SSH key passphrases in the KWallet on Kubuntu is simple, albeit not as streamlined as with the GNOME Keyring. To do so create an executable file ~/.config/autostart-scripts/ssh-add.sh with the following content:

#!/bin/bash
ssh-add </dev/null

To include more keys beyond the default ~/.ssh/id_rsa add each as an argument, e.g. ssh-add $HOME/.ssh/key1 $HOME/.ssh/key2 </dev/null.

Execute the file or re-login to receive a prompt to store the passphrase in KWallet.

Explanatory Walkthrough

Background

In my Linux desktop journey over the last few years I’ve switched from Kubuntu to Ubuntu GNOME to the GNOME-based POP!_OS and now back to Kubuntu.

I’m really happy with the recent switch. I find the KDE Plasma desktop experience much more natural. Admittedly, this could be due to extensive past & workplace Windows use something inherit to Plasma & GNOME. Either way, I could never get into the GNOME workflow and anticipate staying with Kubuntu for awhile.

One nice feature of GNOME was the automatic manner in which SSH key passphrases are added to the GNOME Keyring. On first usage of the passphrase, it is stored.

Plasma uses the similar KWallet (or KDE Wallet Manager) however storing passphrases is not quite so seamless.

To figure it out, I followed these instructions from the Arch Linux Wiki. In the rest of this post I will apply these instructions to Kubuntu with explanation.

Prerequisites

The Arch Linux article specifies the following pre-requisits:

  1. SSH agent is up and running
  2. ksshaskpass package is installed
  3. SSH_ASKPASS environment variable is set to ksshaskpass

With the default Kubuntu install (confirmed with v18.04) the first two are already satisfied while the third is not necessary.

To clarify on the third, by default the SSH_ASKPASS is not set, in which case the ssh add command uses ssh-askpass as a default. On Kubuntu this is linked to ksshaskpass. You can confirm using update-alternatives:

update-alternatives --list ssh-askpass
# /usr/bin/kssaskpass

Autostart Script

Shell scripts created in ~/.config/autostart-scripts/ will execute at login, exactly what is needed for this use case.

Create a file (or symlink) here, for example:

vim ~/.config/autostart-scripts/ssh-add.sh

Add the following content:

#!/bin/bash
ssh-add </dev/null

Save, close & make the file executable:

chmod +x ~/.config/autostart-scripts/ssh-add.sh

The simplest case above works only for the default key ~/.ssh/id_rsa. To include all keys provide each as a parameter to the command, e.g. ssh-add $HOME/.ssh/key $HOME/.ssh/key2 </dev/null. Note that the redirect </dev/null is used to ensure ksshaskpass is used (although this should only be required if executing from the terminal).

The only thing left is to save the passphrase in the KWallet. This can be done either by executing the script from the terminal or logging out and then back in. A prompt will appear. Enter the passphrase, opt to remember it, and click OK.

image: KWallet save passphrase.

Now the passphrase will be read from KWallet at each login and added to the SSH Agent, no passphrase re-entry required.