For whatever reason, my ssh-agent does not populate the keys correctly during my first login after reboot, but when i logout and log back in, my ssh-agent correctly adds the keys as expected.

In other words,
ssh-add -l returns no values on my first login after reboot, but returns all expected values after my second login.

my ssh agent is running as a user-specific systemd service, could it be that perhaps its starting after the pam_exec command runs?

my system-local-login file

#%PAM-1.0

session   required  pam_env.so
auth      include   system-login
account   include   system-login
password  include   system-login
session   include   system-login
auth     optional   pam_gnupg.so
auth     optional   pam_exec.so     expose_authtok /usr/bin/pam_exec-ssh
session  optional   pam_gnupg.so

my /etc/environment

#
# This file is parsed by pam_env module
#
# Syntax: simple "KEY=VAL" pairs on separate lines
#
XDG_CONFIG_HOME=/home/alden/.config
XDG_DATA_HOME=/home/alden/.local/share
XDG_CACHE_HOME=/home/alden/.cache
XDG_RUNTIME_DIR=/run/user/1000
XAUTHORITY="${XDG_RUNTIME_DIR}/Xauthority"
SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-agent.socket"

Finally, I am running Arch.

my ssh agent is running as a user-specific systemd service, could it be that perhaps its starting after the pam_exec command runs?

Yes, that could be the reason.

What kind of screenlocker do you use?

I use slock (suckless lock), but i dont know if that would make a difference.

I use it with physlock like this:

#!/bin/sh

systemctl restart --user gpg-agent.service
systemctl restart --user ssh-agent.service

physlock

This script runs at startup and if I lock the screen.
If I restart the services the cached password is away. Also a fresh daemon starts. Thats what you need. Otherwise the ssh-agent starts later with no cached password.

Do you use system-local-login for your pam module that you install the pam_exec call to?

I use /etc/pam.d/physlock which is distributed with physlock.
But the file should not make a difference. You can also use include to include other files.

As everything works, except from the startup your pam config is ok I guess.

so in my case i guess it comes down to my user ssh-agent systemd service starting after the pam_exec function is called in system-local-login. I can't think of a way to get around this yet... herm.... :O

i simply have the systemd user service enabled. nothing special to it. I don't have a good mental model around when they are started relative to when pam modules are run

Then run it before slock?

I havent used slock in years--it doesnt have a pam module

You said you use it?

I have it installed :)

I dont think it has an effect on loading systemd user files before pam executes though, right?

PAM is executed when you log in. slock change nothing on it.
When a user service starts depends on other rules.

exactly. slock has no effect on the cause of the bug :)

I am curious if you have any other suggestions, as i have no clue what could be causing this.

Does your ssh-agent run before you log in the first time?

It starts whenever a normal systemd --user service starts.

When that happens is what im not sure of

I havent changed anything which would change the default start time

Then you have to fix it.
By start the service manually or by enabling the service.

The service is enabled. The impotence for this issue, again, is that i am doing everything correct here.

You use a systemd user service for ssh-agent; so do I. what else could it be, in your mind?

The point is that you don't know when the service starts. But it needs to be running before it can work.

Yes and i was hoping you'd know of a way to diagnose :) Either way, I've just found a solution. running loginctl enable-linger 1000 (replace 1000 with your user id) allows systemd user services to start on reboot before login.

Is this worth adding as a note somewhere on the readme?

I added an info to the README.md.