Various hacks to support use of Ed25519 keys in OpenSSH.

  * New script `bin/add-ssh-keys' to load keys into the SSH agent in the
    right order, so that it prefers Ed25519 over RSA.

  * Don't use the `gnome-keyring' SSH agent, because it doesn't
    implement modern cryptography.  Because the Gnome developers have
    more important things to screw up.

diff --git a/bin/add-ssh-keys b/bin/add-ssh-keys
new file mode 100755 (executable)
index 0000000..291a09e
--- /dev/null
+++ b/bin/add-ssh-keys
@@ -0,0 +1,10 @@
+#! /bin/sh -e
+
+## An ugly hack: figure out the available SSH keys and feed them to the agent
+## in preference order, because the default order is wrong and there doesn't
+## seem to be any other way to fix this.
+unset ff
+for k in id_ed25519 id_rsa id_ecdsa id_dsa id_identity; do
+  if [ -f $HOME/.ssh/$k ]; then ff=$ff${ff+ }$HOME/.ssh/$k; fi
+done
+exec ssh-add $ff

diff --git a/dot/bash_profile b/dot/bash_profile
index 2a47c68b62f41d9037fbabf5e97cf37510914177..47c408b3eda0ea9493b9b80315ea24c4ff2e9ecd 100644 (file)
--- a/dot/bash_profile
+++ b/dot/bash_profile
@@ -246,7 +246,7 @@ if { { [ "$GNOME_KEYRING_CONTROL" ] &&
        [ -s "$GNOME_KEYRING_CONTROL" ]; } ||
      { [ "$DBUS_SESSION_BUS_ADDRESS" ] &&
        __mdw_programp gnome-keyring-daemon; }; } &&
-   stuff=$(gnome-keyring-daemon -s -c ssh,gpg 2>/dev/null)
+   stuff=$(gnome-keyring-daemon -s -c gpg 2>/dev/null)
 then
   eval "$stuff"
   export SSH_AUTH_SOCK GPG_AGENT_INFO

diff --git a/setup b/setup
index 0e62ac893ff9b4ee1e51597026186e0ec7e22568..a54108ce0d47781edc5fd01317c64732834b3f62 100755 (executable)
--- a/setup
+++ b/setup
@@ -266,6 +266,7 @@ scripts="
   run-with-shell-env
   start-ssh-agent
   start-ssh-pageant
+  add-ssh-keys
   svnwrap
   guest-console
   hyperspec"