[gentoo-user] How does ssh know to use pinentry?

[Chris Stankevitz]

I am trying to ssh into a site using PKI.  I have a private key in my
.ssh directory that requires a passphrase.

ssh is asking me for my passphrase using a terrible program called
pinentry.  It's terrible for a bunch of reasons, and if you are
interested you can just google pinentry sucks.

pinentry is on my system because it is a dependency of gpg.  gpg is on
my system because I use thunderbird with +crypt (which is the
default).

Question:

By what mechanism does ssh know to use the program pinentry to
acquire my passphrase?

Thank you,

Chris

Re: [gentoo-user] How does ssh know to use pinentry?

[Rich Freeman]

On Sat, Jul 5, 2014 at 9:41 PM, Chris Stankevitz
chrisstankev...@gmail.com wrote:

 ssh is asking me for my passphrase using a terrible program called
 pinentry.  It's terrible for a bunch of reasons, and if you are
 interested you can just google pinentry sucks.


Probably more a case of X11 sucks.  Historically password entry into
X11 windows has always been problematic, because in general any client
connected to an X server can evesdrop on data entered into any other
window on the server.  That is especially problematic when you
remember that X was supposed to work on a network.  It isn't as bad on
your typical desktop setup, but applications like pinentry are often
designed with the network scenario in mind.

Imagine that you're on an X terminal at work.  You have clients
connected to your terminal from 47 different servers that you
administer.  Maybe you have firefox open from a workstation you
administer at customer A who is having firewall issues and you're
trying to get a sense of what things look like from inside.  Perhaps
you have a mail client open on customer B's server.  You punch in your
password for customer B so that the mail client can retrieve your mail
there, and now the trojaned firefox at customer A has your password
credentials for customer B.  So, you have things like the feature in
xterm which captures all keyboard input so that you can enter a
password securely, but it probably breaks things like copy/paste and
you have to toggle it on/off since while it is on no other window on
your server can listen to the keyboard.

This wasn't really how X11 ended up being used, but back in the day it
was how it was designed to work.  Well, except for the part where X11
is crippled when you have more than a few milliseconds in latency, so
nobody runs clients on remote servers.  But, you still get all the
baggage.

I'm not familiar with the internals of pinentry, but this probably why
you're frustrated with it.

In any case, I suspect that gpg-agent is actually serving passwords to
openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably
contains the line pinentry-program /usr/bin/pinentry.  If you trust
all your X clients you can set the option no-grab in the file which
will probably allow copy/paste/etc to work with the entry window.

Rich

Re: [gentoo-user] How does ssh know to use pinentry?

[Chris Stankevitz]

On Sat, Jul 5, 2014 at 7:57 PM, Rich Freeman ri...@gentoo.org wrote:
 In any case, I suspect that gpg-agent is actually serving passwords to
 openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably
 contains the line pinentry-program /usr/bin/pinentry.  If you trust
 all your X clients you can set the option no-grab in the file which
 will probably allow copy/paste/etc to work with the entry window.

Rich,

Thank you, I will give that a shot.  FYI I discovered:

declare -x GPG_AGENT_INFO=/tmp/gpg-2uVMfE/S.gpg-agent:26095:1

When I unset this env variable, ssh stopped trying to use pinentry to
acquire my passphrase.  However, I still do not understand how that
variable got set or how/why ssh behaves differently when it is set.

Chris