I don't think the kernel keyring would work for ssh-agent or gpg-agent. The point of using an agent is *not* just providing dumb secret storage, but moving the actual crypto functions to the agent, so that the UIs (ssh, scp, gpg as of v2.1) won't *ever* deal with unlocked keys. (The agents usually set themselves as undumpable and untraceable to avoid key extraction by the same user's other processes.) If you make `ssh-add` just insert the decrypted key into a kernel keyring and `ssh <a href="http://example.com">example.com</a>` just retrieve it, you lose one of the most important features. Unless, of course, the kernel learns keyctl_ssh_{rsa,ecdsa,ed25519}_sign() or another similar interface that will always take 2-3 years to catch up every time the user space learns a new cipher or protocol... (I am reminded of plan9's Factotum, which was kind of like ssh-agent but part of the OS...) -- Mantas Mikulėnas <<a href="mailto:grawity@gmail.com">grawity@gmail.com</a>> // sent from phone <div class="gmail_quote">On Jun 27, 2014 4:19 PM, "Lennart Poettering" <<a href="mailto:lennart@poettering.net">lennart@poettering.net</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Wed, 25.06.14 14:25, Anatol Pomozov (<a href="mailto:anatol.pomozov@gmail.com">anatol.pomozov@gmail.com</a>) wrote: Haya, > One of the weirdest decisions made by ssh/gpg developers is using > environment variables to pass information about agent processes. Why > don't they use some well-known location for the socket file like any > other application does? Currently I need to run the *-agent daemon > from user account, construct environment variables and propagate it to > other processes such as Gnome and terminals started by sshd.service. > It would be much nicer if *-agents created > /run/user/$uid/gpg-agent.socket that any program can use. Well, $XDG_RUNTIME_DIR is relatively young, and gpg/ssh are not. Also, the BSDs don't really have that. env vars are really awful for what they are doing, but then again, i'd fault UNIX for that, not them. $XDG_RUNTIME_DIR is simply our way to fix UNIX in this regard. > But I would love to see just one system daemon for all users without > the additional configuration steps. All I expect to start the service > is: > > sudo systemctl enable systemd-keyringd.socket > > After that 'ssh' 'gpg' should work without any configuration hustle. So, my strong suggestion would be that everything should just use the kernel keyring (as in keyctl(1)), and then gnome-keyring-daemon and suchlike are just frontends for that adding interactive password queries and things like that. And yeah, ssh/gpg should just use the keyring too, and nothing else. But of course this is not going to be easy, as the kernel keyring is a Linuxism, and ssh+gpg tend to be conservative with non-portable interfaces... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list <a href="mailto:systemd-devel@lists.freedesktop.org">systemd-devel@lists.freedesktop.org</a> <a href="http://lists.freedesktop.org/mailman/listinfo/systemd-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/systemd-devel</a> </blockquote></div>