On my Ubuntu (17.04) desktop, GNOME keyring (GK) aka "Seahorse" has my SSH private key (~/.ssh/id_rsa) loaded in. The key is protected by a password and GK prompts me for a password to unlock it after logging out of my session (eg: after rebooting my box).
So far so good but in order to improve security, I'd rather get prompts a little more often, eg: after the computer unlocked, which would also catch resuming from sleep/hibernation. This might help mitigate attacks against a laptop stolen while suspended.
Is there a way to achieve this? A time-based setting similar to ssh-add -t <duration> would also work.
Bonus: I have to say I don't fully understand the relationship between GK and ssh-agent (despite trying to parse available documentation). Considerations on whether using GK in this scenario is a serious security risk also welcome. Cheers!
No. It is not possible to do that using
gnome-keyring. It has assh-store, which picks up the default SSH identities and unlocks them on the first use. There is no way to get them "locked" again on the event of locking screen.The
gnome-keyringis just implementingssh-agentinterface. Thegnome-keyringis application written to be secure the same way as thessh-agentis. It has just a limited functionality.