SSH Agent Forwarding in Ubuntu's Gnome

It's been over two years since the bug was opened and the SSH agent built into gnome-keyring still does not support constrained identities, particularly the confirmation constraint.

If you are forwarding your SSH agent connection through an intermediate (or bastion) host and the intermediate host is compromised (or has an untrustworthy admin), your forwarded agent connection could be hijacked and your key could be used to access other hosts without your knowledge.  Therefore, when forwarding an SSH agent, it's important that your agent asks for confirmation before the key is used.  That way you will be alerted if your agent is used by someone else to access your key.

Because the SSH agent component in gnome-keyring does not support confirmation dialogs, it should be disabled if you want to use SSH keys in this way.  In order to do that, you must use gconf:

$ gconftool-2 --set -t bool /apps/gnome-keyring/daemon-components/ssh false

If that were the only bug in GNOME, the ssh-agent from openssh would take over on your next login and everything would be fine.  However, if you have seahorse-plugins installed (you probably do), you'll run into this bug.  The Xsession script provided by seahorse-plugins abuses a variable that is supposed to be available to all Xsession scripts, and in doing so, prevents ssh-agent from running.  You could edit the file to fix it, but it's perhaps better to just add another file that undoes the damage.  As root:

# cat > /etc/X11/Xsession.d/60seahorse-plugins-fix <<EOF
# This file is sourced by Xsession(5), not executed.
OPTIONS=$(cat "$OPTIONFILE") || true

Once that is done, you can add "/usr/bin/ssh-add -c" to your gnome startup items.

Tags: code

Yubikey and Dvorak

The Yubikey is an authentication key suitable for use in multi-factor systems and is significantly cheaper and easier to work with than other hardware authentication keys.  The authentication server and several clients (including PAM) are available as Free Software.


The device presents itself to the host as a USB keyboard, and when you press (short or long -- it has two memory slots) the button (it's capacitive -- no moving parts) it "types" the authentication token.  This is very convenient, as long as your system and the Yubikey agree on the keyboard layout.

If you have a Dvorak keyboard, that is unlikely to be the case.  As of 1.8 it is easy to use a Yubikey with a Dvorak keyboard by adding a section to your xorg.conf.  Of course, you might not have an xorg.conf anymore since almost everything is autodetected, but it's still supported for those exceptional cases like this.  The following instructs X to use the "basic" keyboard variant ("dvorak" is a variant) when the Yubikey is inserted.

Section "InputClass"
Identifier "yubikey"
MatchIsKeyboard "on"
MatchVendor "Yubico"
MatchProduct "Yubico Yubikey II"
Driver "evdev"
Option "XkbRules" "evdev"
Option "XkbModel" "pc105"
Option "XkbLayout" "us"
Option "XkbVariant" "basic"

Update: Just don't leave it plugged in when X first starts.

Tags: security code


If you ever see this chuckwagon, eat there.


They have some of the best barbecue I've ever had.  Ever.

The sign appears to say "BBQ Ribs".  But look closer, it's two signs. "BBQ".  "Ribs".  They serve all kinds, including pulled pork.  Oh, and the sweet tea is just right.

You can see the smoker hanging off the back of the wagon, and they haul the whole thing behind the truck (plus camper) visible on the left.

They operate out of Colorado, traveling around to festivals, dog shows, and other events during warm weather (it's not a cold-weather wagon).  We encountered them in Moab, Utah, setting up for Jeep Safari week (just as we were getting out of town).  On our way out we must have seen hundreds of Jeeps on the highway (many being towed) heading the other direction.

Tags: travel food

James E. Blair

I love hacking Free Software and have been fortunate to do so professionally with some wonderful people and organizations throughout my career. This is my blog.