When migrated my workstation to Linux, one important tool was the password manager. I use KeePass, so there are two options around:
- KeePassX 2, a native linux client for .kdbx files: https://www.keepassx.org/downloads
- KeePass 2, the official KeePass client as Mono application: http://keepass.info/help/v2/setup.html#mono
I tried both. On KDE, KeePassX integrates nicer into the Linux desktop while KeePass on Mono looks and feels a bit foreign. But the lack of features like auto open and plugins made me ditch KeePassX quite fast. Two important plugins for me are KeePassHttp, which integrates KeePass with Chrome as password manager, and KeeAgent which automatically registers SSH Keys with passphrases at a running SSH Agent.
Setting up KeeAgent was a bit tricky and all instructions I found on the internet were incomplete, so I’ll share how I did it (on Arch Linux with keepass-plugin-keeagent-beta 0.9.1-1). There are two ways to use the plugin: as client for an existing SSH agent or as standalone SSH agent. I choose client mode to always have an SSH agent available.
Register a systemd service to run ssh-agent on startup
- Add the following line to
~/.bashrc(or another script that runs on startup)export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
This way we’ll always have the environment variable for the socket available. We will use this fixed socket in the service below.
- Create a file
~/.config/systemd/user/ssh-agent.service[Unit] Description=SSH key agent Wants=environment.target Before=environment.target IgnoreOnIsolate=true [Service] Type=forking Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK ExecStartPost=/bin/sh -c "/usr/bin/ps --no-headers -o pid -C ssh-agent | sed 's/^ /export SSH_AGENT_PID=/' > ~/ssh-agent.properties" ExecStartPost=/bin/sh -c "echo export SSH_AUTH_SOCK=$SSH_AUTH_SOCK >> ~/ssh-agent.properties" ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=${SSH_AUTH_SOCK} #ExecStop=/usr/bin/ssh-agent -k ExecStopPost=/bin/rm ${SSH_AUTH_SOCK} [Install] WantedBy=default.targetI used these configurations as example:
- https://wiki.archlinux.org/index.php?title=SSH_keys&redirect=no#SSH_agents
- https://github.com/zoqaeski/systemd-user-units/blob/master/user/ssh-agent.service
The difference is that I extract the process id and write it to a file
~/ssh-agent.properties. I could not make the environment variable SSH_AGENT_PID globally available, but we’ll need it later. - Enable and start service
systemctl --user enable ~/.config/systemd/user/ssh-agent.service systemctl --user start ssh-agent
Set up KeePass
- In the shortcut to start KeePass (the desktop icon), change the executable from
keepass
to
source ~/ssh-agent.properties && keepass
so that KeePass knows the process id of the SSH agent
- In Tools > Options > KeeAgent, set “Agent Mode” to “Client”
Enjoy!
Image: ccPixs.com (CC-BY 2.0)
