Re: gnome-keyring spice ssh-agent forward

[Fabiano Fidêncio <fabiano fidencio org>]

On Tue, Sep 15, 2015 at 4:34 PM, Stef Walter <stefw gnome org> wrote:
> On 10.09.2015 18:07, Fabiano Fidêncio wrote:
> > Howdy!
> >
> > I've been working on a prototype that allows to do agent forward
> > between a guest, using SPICE, and a spice client
> > (remote-viewer/virt-viewer/spicy)
> > The whole idea is to have something similar to "ssh -A guest", but
> > integrated with the desktop environment.
> >
> > As a proof of concept I wrote a standalone ssh-agent that _unlink_ the
> > current running agent in the guest machine and creates its socket in
> > the same path used by the old agent. It works as you can see in these
> > small demo videos:
> > https://fidencio.fedorapeople.org/ssh-agent-forward/
> >
> > Now where the problem starts: doing this would break the desktop
> > integration with gnome-keyring (got as example gnome-keyring-daemon
> > --replace, that would overwrite my socket ...)
> >
> > So, what would be the best approach to still have spice ssh-agent
> > working and do _not_ break gnome-keyring integration? How can it be
> > extended to others DEs (I really don't want a gnome specific solution
> > for this)?
> >
> > For sure, what _must_ be implemented would be a way to talk to both
> > agents, the local one and the remote one, merging then the responses
> > and returning it to any application that talks to the agent. But how
> > to achieve this in a DE agnostic way?
>
> Should we automatically disable the gnome-keyring-daemon agent if an
> SSH_AUTH_SOCK is already set during startup?

This may be one option, but I don't think it is the best one :-)
A better option would be to have both running, maybe by adding support
to the protocol to deal with a second agent for limited purposes (as
just accessing the keys when connecting to some server)? But it must
be accepted by openssh people and I am not sure how hard it can be.

Best Regards,
-- 
Fabiano Fidêncio