I looked into using ssh-agent first. It *might* be possible, but ssh-agent is really not designed for this purpose. Check out the protocol description for ssh-agent[1]: It really expects to be given asymmetric key data, not passphrases, and it expects to perform challenges/signatures, not to hand back the data that you load into it. You might be able to trick it into storing your passphrase as part of public key parameters and then retrieve it with a "request identities" message, but I generally have a bad feeling about that working now and in the future.
Contrast with gpg-agent which specifically includes the ability to store and retrieve passphrases. (FWIW I think there is some way to use gpg-agent as a replacement for ssh-agent.[2] I've never tried it.) Dale [1]: http://openbsd.cs.toronto.edu/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.agent?rev=1.7&content-type=text/x-cvsweb-markup [2]: https://wiki.archlinux.org/index.php/SSH_keys#GnuPG_Agent On Wed, Aug 6, 2014 at 12:06 AM, Bas Meijer <[email protected]> wrote: > Would it be possible to extend this to use the ssh-agent? > > > Op 2 aug. 2014 om 19:54 heeft Michael DeHaan <[email protected]> het > volgende geschreven: > > We have in fact merged in the support for the --vault-password-file to > take a script (marked chmod +x) that can return the vault password. > > I just hadn't noticed that we merged it, which is all good :) > > And yes, you're exactly right - the two PRs are different things all > together. The perils of a busy mailing list and too much going on. > > We should still see about the gpg encryption method itself as well. > > > > > On Sat, Aug 2, 2014 at 1:12 PM, Dale <[email protected]> wrote: > >> On Fri, Aug 1, 2014 at 6:37 AM, Michael DeHaan <[email protected]> >> wrote: >> >>> There's a pull request for direct GPG support in vault as well, that we >>> need to evaluate >>> >>> https://github.com/ansible/ansible/pull/7174 >>> >>> "Luckily, the next major release of Ansible will include the ability >>> for vault_password_file to point at a script that will be run to get your >>> passphrase." >>> >>> FYI - I don't remember merging this one. If we didn't merge that yet, >>> I'm not opposed. Perhaps James did and I didn't notice, but there should >>> be instructions added in docs to reference how to use it before this is >>> complete. >>> >>> It may be a case of comparing the two submissions, can you please >>> comment on the above pull request? >>> >>> Thanks! >>> >> >> I'm sorry, I don't understand. What would you like me to comment on the >> above pull request for GPG vault file support? I don't have much to say >> about it, as I think this PR to use GPG for encrypting vault files is >> orthogonal to my script to use gpg-agent to store your vault passphrase. >> What I mean is that the PR you cited introduces a new vault encryption >> method, whereas my script will work with any vault encryption method that >> respects vault_password_file, including the default AES method and >> (apparently) this prospective GPG method. >> >> Of course, if you're actually invoking GPG, as in the above PR, then my >> script is probably not necessary as I expect GPG to use gpg-agent directly. >> (Though I can't tell if that's working quite right yet in the cited PR.) >> >> Dale >> >> >> >>> On Fri, Aug 1, 2014 at 1:48 AM, Dale <[email protected]> wrote: >>> >>>> Hi Ansible users, >>>> >>>> I've been trying to use vault lately but I got tired of having to enter >>>> my passphrase every time I ran ansible-playbook. I didn't want to put my >>>> passphrase into a file on disk, either. Luckily, the next major release of >>>> Ansible will include the ability for vault_password_file to point at a >>>> script that will be run to get your passphrase.[1] Using this new >>>> functionality I wrote a tiny vault_password_file script that reads your >>>> passphrase via gpg-agent. gpg-agent will then cache that passphrase for >>>> you (by default) so you won't have to enter it every time you run an >>>> Ansible command. >>>> >>>> I thought others might find this useful. If so, the script can be >>>> found at: >>>> >>>> https://github.com/dsedivec/ansible-plugins/blob/master/vault_from_gpg_agent.py >>>> >>>> To reiterate, as of right now I believe this will only work with >>>> Ansible from the Git devel branch. >>>> >>>> If an Ansible maintainer thinks this has a place in some more official >>>> repository somewhere I'm happy to make a pull request, just give me a hint >>>> where it should go. >>>> >>>> Regards, >>>> Dale >>>> >>>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEj9N4Kcxu6ond8pURWu_PU6S%2B%3DN9YV9E3NPah7G6_aN-PA5XQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
