How to disable the keyring for SSH and GPG?

ssh gnupg keyrings
13,999

Solution 1

First duplicate the file /etc/xdg/autostart/gnome-keyring-ssh.desktop into ~/.config/autostart/.

Then edit ~/.config/autostart/gnome-keyring-ssh.desktop in order to remove the following line:

NoDisplay=true

and to add the following line at the end:

X-GNOME-Autostart-enabled=false

This should disable SSH management when you restart your session. To disable GPG, do the same with the file /etc/xdg/autostart/gnome-keyring-gpg.desktop.

Solution 2

In a terminal session (using Ctrl-Alt-T) you can stop the gnome-keyring process from working with ssh by using:

unset SSH_AUTH_SOCK

The --no-use-agent option is available to gpg to avoid using the gnome-keyring process with gpg, however that is the default.

You can stop the nautilus seahorse-tool from using the gpg-agent by using:

rm `echo $GPG_AGENT_INFO | sed s/:0:1//`

You can stop the gnome-keyring process completely with the command:

kill $GNOME_KEYRING_PID

Each of the above actions is restored by logging in again.

Wifi passwords available to all userids are stored in the /etc/NetworkManager/system-connections/ directory rather than being stored in your gnome keyring, so they can remain available if you kill the gnome-keyring process.

The ssh-add command can be used to delete (or add) specific keys from/to the current gnome-keyring while the keyring process is running.

Individual key passwords can be deleted from the login or other keyring using the Passwords tab of the Passwords and Keys program (seahorse).

If the gnome-keyring isn't present, ssh-agent will still be running, but it doesn't store gpg keys.

There are two lines in /etc/pam.d/lightdm involved with saving the login password and starting the gnome-keyring-daemon with the login keyring unlocked with the login password. The second starts the daemon: 

session optional        pam_gnome_keyring.so auto_start

Commenting out just this line would stop it from starting for all sessions of all users of your system using the login password to unlock the login keyring.

/etc/xdg/autostart/ contains start entries for various categories of secrets gnome-keyring can handle. To stop the daemon from starting these components these files can be moved out of this directory. You can move all the gnome-keyring-* files to stop the daemon from starting or can simply refuse to supply the login password again to disable the login keyring while leaving the daemon running.

Solution 3

To stop gnome-keyring from starting its (broken) SSH agent on Ubuntu 16.04:

mkdir ~/.config/upstart || true
echo manual > ~/.config/upstart/gnome-keyring-ssh.override

# This step can be done with the gnome-session-properties tool
mkdir ~/.config/autostart || true
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
echo 'X-GNOME-Autostart-enabled=false' >> ~/.config/autostart/gnome-keyring-ssh.desktop

Solution 4

With current version of Ubuntu, changing the .desktop file mentioned in other answers is not sufficient anymore. An additional upstart job was added that also starts gnome-keyring-daemon. The file is located in /usr/share/upstart/sessions/gnome-keyring.conf and contains:

eval "$(gnome-keyring-daemon --start)" >/dev/null
initctl set-env --global SSH_AUTH_SOCK=$SSH_AUTH_SOCK
initctl set-env --global GPG_AGENT_INFO=$GPG_AGENT_INFO

Here the daemon needs to be restricted to only provide some services by adding --components=pkcs11,secrets to the command line. The initctl lines can also be removed, resulting in:

eval "$(gnome-keyring-daemon --start --components=pkcs11,secrets)" >/dev/null
Share:
13,999

Related videos on Youtube

brodul
Author by

brodul

Updated on September 18, 2022

Comments

  • brodul
    brodul over 1 year

    How to disable the keyring for SSH and GPG ?

    I would like to keep the keyring for the wifi and other stuff. I'm using Ubuntu 12.04.

    • Deepak Verma
      Deepak Verma almost 12 years
      Can't you simply decline to save those passwords on the keyring? For standard ssh, it won't save the password unless you set it up that way specifically, in my experience.
    • brodul
      brodul almost 12 years
      I don't know. Is there a way to reset the keyring. To test it? The title in the topic had Ubuntu 12.04 LTS in it, but @jorge-castro changed it.
    • Jorge Castro
      Jorge Castro almost 12 years
      Keyring hasn't changed much in a while, but I added it to the question for clarity, no need for it to clutter the title though as the answer will likely apply to multiple versions.
    • Stephane
      Stephane about 6 years
      Sorry for the noob question, but what is your motivation for disabling keyring for SSH ?
    • phil294
      phil294 over 4 years
      @Stephane I cant speak for OP but I do not want an information so critical exposed in any way. I would rather input my ssh key password every time I am connecting to some server, than the keyring storing it, allowing any program and every person in my user space arbitrary ssh access. This doesnt make sense for everyone else, of course, but imo the motivation here is understandable
  • brodul
    brodul almost 12 years
    unset SSH_AUTH_SOCK works. Tnx. Is there a way to unset it for all sessions? I use Enigmail for Thunderbird and there is a problem with enigmail (it doesn't forget the password).
  • brodul
    brodul almost 12 years
    Is there a way to disable the keyring at startup. (I really don't want to write a script killing the keyring).
  • John S Gruber
    John S Gruber almost 12 years
    I've edited the answer with some more information that may be helpful, however it may be better to ask for an Enigmail circumvention directly in a separate question, being explicit about what you want.
  • brodul
    brodul over 11 years
    Tnx, this finally solves the problem.
  • unhammer
    unhammer about 10 years
    You can flush the keyring (forget your passwords, both gpg and ssh and others) by doing gnome-keyring-daemon -r -d. This is simple way of restarting the daemon. One possible problem is that if it wasn't running in the first place, it'll start up (I don't know a good way of only restarting it if it's already running, except parsing ps :/)
  • dolmen
    dolmen almost 8 years
    How can I override this file per user without modifying the system file?
  • dolmen
    dolmen almost 8 years
    Changing a system file is a bad practice. See my own answer.
  • dragon788
    dragon788 over 6 years
    I see that your last line is utilizing the fact that /usr/share/upstart/sessions/gnome-keyring-ssh.conf looks for that line and exits immediately before exporting the SSH_AUTH_SOCK, I think that you don't need the ~/.config/upstart file/directory if you also append Hidden=true to the .desktop file. This basically masks the "real" (system) shortcut from all desktops, even those it might normally apply to like GNOME/Unity. I'll be testing this shortly as I've been looking for a clean way to disable gnome-keyring-ssh without affecting the other functions.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

The safest way to backup GPG and SSH keys
Difference between pgp protocol and rsa protocol
How can I adjust the default passphrase caching duration for GPG/PGP/SSH keys?
Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg)
How to automatically unlock private SSH key?
gpg-agent and SSH: No keys
how to remove my key (ssh-keygen) when I do not know hostname? (But I know other things)
Fetching Ubuntu's OpenPGP keys for verification fails with "not a key ID: skipping"
Couldn't generate PGP key, general error
How do I disable gnome-keyring ssh integration?