Re: [gentoo-user] How does ssh know to use pinentry?
On 07/07/2014 02:40, Chris Stankevitz wrote: On Sun, Jul 6, 2014 at 1:32 PM, Alan McKinnon alan.mckin...@gmail.com wrote: Why not do the obvious thing instead? Run keychain and have it unlock your keys *once* when the workstation boots up. ssh then always uses that key as it is unlocked. Alan, Thank you. FYI, I do not have a problem typing my password 100 times per day. The only problem I have with pinentry is that it doesn't let me paste. Does keychain allow me to paste? If so, I'll consider it. However, now that I have killed pinentry from my system I am happily pasting my passphrase into the ssh console. keychain is a regular terminal app, so paste will always work. On a side note, I always recommend people use a key agent unless there is absolutely no need for one: - typing the same passphrase repeatedly becomes tedious - the largest attack surface for passwords is not cryptographic weaknesses, it's over-the-shoulder attacks (aka shoulder surfing or monitor whoring). It's when people watch what you type over your shoulder, and after entering it for the fifth time most folks stop making sure everyone else in the room is looking away On another note, from my OP, I am still curious how the ssh software knows to use /usr/bin/pinentry to fetch my passphrase. In a follow-up post, I discovered that this mechanism only works if an environment variable called GPG_AGENT_INFO is set. I doubt the ssh source code contains the string /usr/bin/pinentry or GPG_AGENT_INFO. I'm not sure how that stuff works (I suspect the presence of magic) :-) I really should read up more about it, considering what kind of software it is. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] How does ssh know to use pinentry?
On Sat, Jul 5, 2014 at 11:42 PM, Chris Stankevitz chrisstankev...@gmail.com wrote: On Sat, Jul 5, 2014 at 7:57 PM, Rich Freeman ri...@gentoo.org wrote: In any case, I suspect that gpg-agent is actually serving passwords to openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably contains the line pinentry-program /usr/bin/pinentry. If you trust all your X clients you can set the option no-grab in the file which will probably allow copy/paste/etc to work with the entry window. Rich, Thank you, I will give that a shot. FYI I discovered: declare -x GPG_AGENT_INFO=/tmp/gpg-2uVMfE/S.gpg-agent:26095:1 When I unset this env variable, ssh stopped trying to use pinentry to acquire my passphrase. However, I still do not understand how that variable got set or how/why ssh behaves differently when it is set. You might want to read up on ssh-agent/gpg-agent in general to understand what its for. The short version is that these programs are designed to cache the password for your ssh/gpg private keys so that if you repeatedly use gpg or ssh you don't have to type it every time. If an agent isn't running ssh/gpg will just prompt for a key each time, and forget it when the program terminates. If the agent is running then this environment variable is used to communicate that to ssh/gpg and then the program asks the agent for the key, and it prompts you to enter it if it isn't cached. They are designed to be secure (run in locked memory, etc). Typically they are launched from a bash profile, or an X11 startup script. KDE/Gnome look like they have it in their default scripts. Just grep -r gpg-agent /etc and you'll find where it is being loaded if you didn't add them to your own startup scripts in /home. Using gpg-agent is considered a best practice in general, so I wouldn't go getting rid of it unless it is really causing you problems. You haven't mentioned what issue you're actually having with it/pinentry/etc. Rich
Re: [gentoo-user] How does ssh know to use pinentry?
On Sun, Jul 6, 2014 at 3:25 AM, Rich Freeman ri...@gentoo.org wrote: Typically they are launched from a bash profile, or an X11 startup script. KDE/Gnome look like they have it in their default scripts. Just grep -r gpg-agent /etc and you'll find where it is being loaded if you didn't add them to your own startup scripts in /home. Rich, Thank you again. My bash history shows ssh-agent being executed in the past, but I'm still not sure where gpg-agent came from. Using gpg-agent is considered a best practice in general, so I wouldn't go getting rid of it unless it is really causing you problems. You haven't mentioned what issue you're actually having with it/pinentry/etc. FYI pinentry frustrates me because: 1. pinentry-gtk and pinentry-qt do not allow me to paste my passphrase. My passphrase is difficult to type. I keep my passphrase in keepass. 2. Supposedly pinentry-curses will let me paste; however, pinentry-curses doesn't work. https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html suggests that my problem is a misconfigured GPG_TTY environment variable. At this point though I'm not even interested in using it anymore. At the moment pinentry is no longer installed on my system so these problems should be gone. If/when I understand what is going on, I'll reinstall them. FYI I removed pinentry with: tail /etc/portage/package.use # 2014-07-05 Avoid pinentry dev-vcs/git -gpg mail-client/thunderbird -crypt tail /etc/portage/package.mask # 2014-07-05 Avoid password entry program that disallows paste app-crypt/pinentry Chris
Re: [gentoo-user] How does ssh know to use pinentry?
On Sunday 06 Jul 2014 16:29:03 Chris Stankevitz wrote:
On Sun, Jul 6, 2014 at 3:25 AM, Rich Freeman ri...@gentoo.org wrote:
Typically they are launched from a bash profile, or an X11 startup
script. KDE/Gnome look like they have it in their default scripts.
Just grep -r gpg-agent /etc and you'll find where it is being loaded
if you didn't add them to your own startup scripts in /home.
Rich,
Thank you again. My bash history shows ssh-agent being executed in
the past, but I'm still not sure where gpg-agent came from.
ssh-agent and gpg-agent are part of ssh and gnupg:
$ qfile /usr/bin/gpg-agent
app-crypt/gnupg (/usr/bin/gpg-agent)
They are usually started by the Desktop Environment startup scripts.
I start gpg-agent using ~/.xsession:
===
if [ -x /usr/bin/gpg-agent ]; then
kill $(ps ux | awk '/gpg-agent/ !/awk/ {print $2}') /dev/null 21
fi
if [ -x /usr/bin/gpg-agent ]; then
eval $(/usr/bin/gpg-agent --daemon)
fi
===
Using gpg-agent is considered a best practice in general, so I
wouldn't go getting rid of it unless it is really causing you
problems. You haven't mentioned what issue you're actually having
with it/pinentry/etc.
FYI pinentry frustrates me because:
1. pinentry-gtk and pinentry-qt do not allow me to paste my
passphrase. My passphrase is difficult to type. I keep my passphrase
in keepass.
2. Supposedly pinentry-curses will let me paste; however,
pinentry-curses doesn't work.
https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html
suggests that my problem is a misconfigured GPG_TTY environment
variable. At this point though I'm not even interested in using it
anymore.
Interesting - I don't seem to have a GPG_TTY environment variable set up
either:
$ echo $GPG_TTY
$
At the moment pinentry is no longer installed on my system so these
problems should be gone. If/when I understand what is going on,
I'll reinstall them.
FYI I removed pinentry with:
tail /etc/portage/package.use
# 2014-07-05 Avoid pinentry
dev-vcs/git -gpg
mail-client/thunderbird -crypt
tail /etc/portage/package.mask
# 2014-07-05 Avoid password entry program that disallows paste
app-crypt/pinentry
I think that the idea of keeping your passphrase in the clipboard is frowned
upon for security reasons. Not only because of any potential memory leaks,
but because you may inadvertently paste it in GUI fields/areas you were not
meant to:
Only a couple of days ago a friend ended up pasting his passphrase on an IM
client for all to see, as he was trying to login into a system ... O_O
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
Re: [gentoo-user] How does ssh know to use pinentry?
On 06/07/2014 03:41, Chris Stankevitz wrote: I am trying to ssh into a site using PKI. I have a private key in my .ssh directory that requires a passphrase. ssh is asking me for my passphrase using a terrible program called pinentry. It's terrible for a bunch of reasons, and if you are interested you can just google pinentry sucks. pinentry is on my system because it is a dependency of gpg. gpg is on my system because I use thunderbird with +crypt (which is the default). Question: By what mechanism does ssh know to use the program pinentry to acquire my passphrase? Why not do the obvious thing instead? Run keychain and have it unlock your keys *once* when the workstation boots up. ssh then always uses that key as it is unlocked. I also have pinentry here, for the same reasons you do, and keychain renders it never needing to run -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] How does ssh know to use pinentry?
On Sun, Jul 6, 2014 at 12:09 PM, Mick michaelkintz...@gmail.com wrote: I think that the idea of keeping your passphrase in the clipboard is frowned upon for security reasons. Not only because of any potential memory leaks, but because you may inadvertently paste it in GUI fields/areas you were not meant to Mick, Thank you. I too have been concerned about this. I've also been concerned about memory leaks. FYI one cute feature of keepass is that it clears the clipboard 20 seconds after you copy your password to it. Today (2014) I am choosing to use the clipboard/keepass to manage complex/unique passwords. Perhaps in the future (2015) everybody will support something like the Yubikey HW OTP... in which case it won't matter if everyone sees my password! Chris
Re: [gentoo-user] How does ssh know to use pinentry?
On Sun, Jul 6, 2014 at 1:32 PM, Alan McKinnon alan.mckin...@gmail.com wrote: Why not do the obvious thing instead? Run keychain and have it unlock your keys *once* when the workstation boots up. ssh then always uses that key as it is unlocked. Alan, Thank you. FYI, I do not have a problem typing my password 100 times per day. The only problem I have with pinentry is that it doesn't let me paste. Does keychain allow me to paste? If so, I'll consider it. However, now that I have killed pinentry from my system I am happily pasting my passphrase into the ssh console. On another note, from my OP, I am still curious how the ssh software knows to use /usr/bin/pinentry to fetch my passphrase. In a follow-up post, I discovered that this mechanism only works if an environment variable called GPG_AGENT_INFO is set. I doubt the ssh source code contains the string /usr/bin/pinentry or GPG_AGENT_INFO. Chris
Re: [gentoo-user] How does ssh know to use pinentry?
On Sun, Jul 6, 2014 at 8:40 PM, Chris Stankevitz chrisstankev...@gmail.com wrote: On another note, from my OP, I am still curious how the ssh software knows to use /usr/bin/pinentry to fetch my passphrase. In a follow-up post, I discovered that this mechanism only works if an environment variable called GPG_AGENT_INFO is set. I doubt the ssh source code contains the string /usr/bin/pinentry or GPG_AGENT_INFO. GPG_AGENT_INFO tells ssh to use gpg-agent. ~/.gnupg/gpg-agent.conf tells gpg-agent to use pinentry. Rich
Re: [gentoo-user] How does ssh know to use pinentry?
On Sun, Jul 6, 2014 at 5:45 PM, Rich Freeman ri...@gentoo.org wrote: GPG_AGENT_INFO tells ssh to use gpg-agent. Hi Rich, Are you saying that the ssh software checks for the presence of the GPG_AGENT_INFO environment variable? It find it odd that ssh hard-code the names of all possible agents. Also, I thought the ssh folks were BSD-friendly and GPG was GPL-friendly. Thanks, Chris
Re: [gentoo-user] How does ssh know to use pinentry?
On Sun, Jul 6, 2014 at 9:18 PM, Chris Stankevitz chrisstankev...@gmail.com wrote: On Sun, Jul 6, 2014 at 5:45 PM, Rich Freeman ri...@gentoo.org wrote: GPG_AGENT_INFO tells ssh to use gpg-agent. Are you saying that the ssh software checks for the presence of the GPG_AGENT_INFO environment variable? Actually, I'm probably wrong on that. In ssh agent mode I think that gpg-agent also exports SSH_AUTH_SOCKET or something like that and emulates ssh-agent, in addition to exporting GPG_AGENT_INFO. If somebody knows the details feel free to post. For the most part most desktop environments configure it to just work. Rich
Re: [gentoo-user] How does ssh know to use pinentry?
On Sat, Jul 5, 2014 at 9:41 PM, Chris Stankevitz chrisstankev...@gmail.com wrote: ssh is asking me for my passphrase using a terrible program called pinentry. It's terrible for a bunch of reasons, and if you are interested you can just google pinentry sucks. Probably more a case of X11 sucks. Historically password entry into X11 windows has always been problematic, because in general any client connected to an X server can evesdrop on data entered into any other window on the server. That is especially problematic when you remember that X was supposed to work on a network. It isn't as bad on your typical desktop setup, but applications like pinentry are often designed with the network scenario in mind. Imagine that you're on an X terminal at work. You have clients connected to your terminal from 47 different servers that you administer. Maybe you have firefox open from a workstation you administer at customer A who is having firewall issues and you're trying to get a sense of what things look like from inside. Perhaps you have a mail client open on customer B's server. You punch in your password for customer B so that the mail client can retrieve your mail there, and now the trojaned firefox at customer A has your password credentials for customer B. So, you have things like the feature in xterm which captures all keyboard input so that you can enter a password securely, but it probably breaks things like copy/paste and you have to toggle it on/off since while it is on no other window on your server can listen to the keyboard. This wasn't really how X11 ended up being used, but back in the day it was how it was designed to work. Well, except for the part where X11 is crippled when you have more than a few milliseconds in latency, so nobody runs clients on remote servers. But, you still get all the baggage. I'm not familiar with the internals of pinentry, but this probably why you're frustrated with it. In any case, I suspect that gpg-agent is actually serving passwords to openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably contains the line pinentry-program /usr/bin/pinentry. If you trust all your X clients you can set the option no-grab in the file which will probably allow copy/paste/etc to work with the entry window. Rich
Re: [gentoo-user] How does ssh know to use pinentry?
On Sat, Jul 5, 2014 at 7:57 PM, Rich Freeman ri...@gentoo.org wrote: In any case, I suspect that gpg-agent is actually serving passwords to openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably contains the line pinentry-program /usr/bin/pinentry. If you trust all your X clients you can set the option no-grab in the file which will probably allow copy/paste/etc to work with the entry window. Rich, Thank you, I will give that a shot. FYI I discovered: declare -x GPG_AGENT_INFO=/tmp/gpg-2uVMfE/S.gpg-agent:26095:1 When I unset this env variable, ssh stopped trying to use pinentry to acquire my passphrase. However, I still do not understand how that variable got set or how/why ssh behaves differently when it is set. Chris
