Re: [Monotone-devel] keyring integration from a user POV

[Justin Patrin]

On 4/9/07, Benoît Dejean <address@hidden> wrote:
> Le lundi 09 avril 2007 à 12:59 -0700, Justin Patrin a écrit :
> > On 4/9/07, Benoît Dejean <address@hidden> wrote:
> > > Le lundi 09 avril 2007 à 07:52 -0700, Justin Patrin a écrit :
> > > > On 4/8/07, Benoît Dejean <address@hidden> wrote:
>
> > > > >
> > > > > > > - Who is asking for unlocking my main real ssh key ?
> > > >
> > > > To see if ssh-agent has your mtn key in it it has to list the keys
> > > > that ssh-agent has. It sounds like your agent is unlocking the keys in
> > > > order to list them. This sounds to me like a bit of a misnomer as
> > > > listing keys only gets you the public part, not the private part.
> > >
> > > I am using OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8e 23 Feb 2007 so i might
> > > not be the only one to experience the same.
> >
> > It's your agent asking for the passphrase, not openssh/ssl. If you're
> > using gnome-keyring, then it's gnome-keyring doing it.
>
> It is just a frontend. ssh-agent is running. Indeed, ssh-add -l ask for
> password.
>
> > >
> > > I am now totally lost. I have dropped the get_passphrase hook and now
> > > the agent prompts my password on command line ... why ? It should use
> > > the X prompt as every other application i have (graphical or not)
> >
> > The *agent* asks on the command-line? Are you adding your key to the
> > agent manually or letting mtn do it? If you let mtn do it then it's
> > going to ask on the command-line.
>
> I don't understand why. Every other program that i have don't ask
> password themselves for unlocking the key.

Because mtn is decrypting your key in order to add it to your
keystore. Your agent can only ask for your passphrase if *it* is the
one managing your key. If you want to type your passphrase into your
agent instead of mtn then export your key and add it to your agent
manually.

> > If you do it using ssh-add (which is
> > a command-line program) then it's going to ask on the command-line.
>
> No. Graphical GTK+.
> ssh-add -l pops up graphical prompt on first use.

No, ssh-add is not popping up a graphical prompt. gnome-keyring is.
There's a chain of processes here at work.
* ssh-add -l is asking for a list of keys from the agent
* ssh-agent looks for its list of keys
* seahorse-agent notices that you want to look at the key and asks
gnome-keyring for the password to decrypt it so that it can be added
to the agent
* gnome-password asks for your master passphrase to unlock your key
passphrase (or just asks for your passphrase for the key depending on
how you have it set up)

Then back the other way

* gnome-password passes the passphrase back to seahorse-agent
* seahorse-agent uses the passphrase to decrypt your key and pass it
to ssh-agent
* ssh-agent adds the key to its in-memory keystore and passes the list
of keys to ssh-add
* ssh-add lists your keys

Or something close to that anyway. mtn uses ssh-agent, not
gnome-keychain or seahorse-agent so it asks for the passphrase itself.

> > If
> > you use your X-based agent program to add it (gnome-keyring?) then it
> > will ask however it asks.
> >
> > >
> > > > Actually, if you look closely at the
> > > > exported key, it doesn't use the same standard format that ssh-keygen
> > > > exports as. It is readable by ssh-agent but in a different format.
> > >
> > > This is why gnome-keyring (and i guess other graphical keyring manager)
> > > display meaningless ID. It's annoying. Is it a bug in gnome-keyring or
> > > is mtn abusing ssh-agent ?
> > >
> >
> > Possibly but I don't know. I've never used gnome-keyring and don't
> > know why it would display a "meaningless" ID. ssh-agent (command-line)
> > never showed anything meaningless to me, just the ID of my key (i.e.
> > address@hidden, the name I gave to monotone).
>
> Yes, ssh-add -l shows the key right.
>
> >  mtn is not
> > abusing the agent, it's sending the ID of the key as the comment. The
> > only information that can be given about a key, other than the key
> > itself, is a comment. I figured the name of the key in mtn was a good
> > comment. We could perhaps prefix with (mtn) or something...
>
> That would be nice.
>
>
> Le lundi 09 avril 2007 à 13:27 -0700, Justin Patrin a écrit :
> > On 4/9/07, Justin Patrin <address@hidden> wrote:
>
> > FYI, I'm attempting to test gnome-keyring to see how it acts but have
> > now realized that gnome-keyring-manager is essentially uselss on its
> > own. It only allows me to add and remove keyrings, not to actually add
> > any keys...
>
> Thanks.
> I don't know much about the gnome-keyring-manager, it's just a trayicon
> which shows me all my keys (GPG and SSH). I am then able to manually
> kill them which is great to reset authentification for ssh.

I'm not seeing a tray icon and I don't see any graphical list of agent
keys at the moment with Seahorse 1.0. I'll try to play with it and my
mtn key later.

> > Are you using seahorse for ssh-agent integration or something else?
>
> yes, seahorse-agent. GNOME 2.16 on Debian SID.
>
>
> One thing i don't understand : if i export my key ssh_agent_export, it
> tries to change the password. Why ?

We figure that most people are using the get_passphrase hook right
now. It would be a good idea to change your key passphrase when you
export it since your passphrase was previously in plaintext on your
hard drive.

--
Justin Patrin