On Sat, Jul 5, 2014 at 9:41 PM, Chris Stankevitz <chrisstankev...@gmail.com> wrote: > > ssh is asking me for my passphrase using a terrible program called > "pinentry". It's terrible for a bunch of reasons, and if you are > interested you can just google "pinentry sucks". >
Probably more a case of "X11 sucks." Historically password entry into X11 windows has always been problematic, because in general any client connected to an X server can evesdrop on data entered into any other window on the server. That is especially problematic when you remember that X was supposed to work on a network. It isn't as bad on your typical desktop setup, but applications like pinentry are often designed with the network scenario in mind. Imagine that you're on an X terminal at work. You have clients connected to your terminal from 47 different servers that you administer. Maybe you have firefox open from a workstation you administer at customer A who is having firewall issues and you're trying to get a sense of what things look like from inside. Perhaps you have a mail client open on customer B's server. You punch in your password for customer B so that the mail client can retrieve your mail there, and now the trojaned firefox at customer A has your password credentials for customer B. So, you have things like the feature in xterm which captures all keyboard input so that you can enter a password securely, but it probably breaks things like copy/paste and you have to toggle it on/off since while it is on no other window on your server can listen to the keyboard. This wasn't really how X11 ended up being used, but back in the day it was how it was designed to work. Well, except for the part where X11 is crippled when you have more than a few milliseconds in latency, so nobody runs clients on remote servers. But, you still get all the baggage. I'm not familiar with the internals of pinentry, but this probably why you're frustrated with it. In any case, I suspect that gpg-agent is actually serving passwords to openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably contains the line "pinentry-program /usr/bin/pinentry". If you trust all your X clients you can set the option no-grab in the file which will probably allow copy/paste/etc to work with the entry window. Rich