summaryrefslogtreecommitdiffhomepage
path: root/blog/entry/gnomesshclear.mdwn
blob: 5c434d3077260b7fc81f9013eac9a850a8a87597 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[[!meta date="2015-07-03 22:39:00"]]
[[!meta title="Expiring the GNOME keyring daemon's SSH keys cache"]]
[[!tag  imported_PyBlosxom tech debian]]

The GNOME keyring is very convenient; it figures out what keys you need
to unlock and pops up the relevant dialogs to do so at the right times.
But by default it caches them until you logoff. You can have caches of
PGP passphrases expire:

    gsettings set org.gnome.crypto.cache gpg-cache-ttl 300
    gsettings set org.gnome.crypto.cache gpg-cache-method 'timeout'

but per [this bug](https://bugzilla.gnome.org/show_bug.cgi?id%3D525574)
you can't do the same for SSH keys.\[1\] An alternative is to check for
X11 activity using the `xprintidle` utility, and clear all keys when the
user has been idle for five minutes. This crontab entry does that:

    #!/bin/sh

    while true; do
        if [ $(xprintidle) -ge 300000 ]; then
            ssh-add -D 2>/dev/null
        fi
        sleep 300
    done

I've got Xfce running `pkill -u $USER /path/to/this/script;
/path/to/this/script &` as part of its startup sequence.

Notes
=====

\[1\] You can just turn off the SSH key handling of gnome-keyring-daemon
though I'm not sure this works in all versions of gnome-settings-daemon
in circulation. The gconf boolean key might be
`/apps/gnome-keyring/daemon-components/ssh`.