Re: [gentoo-user] How does ssh know to use "pinentry"?

[Mick <michaelkintzios@gmail.com>]

[-- Attachment #1: Type: Text/Plain, Size: 2821 bytes --]

On Sunday 06 Jul 2014 16:29:03 Chris Stankevitz wrote:
> On Sun, Jul 6, 2014 at 3:25 AM, Rich Freeman <rich0@gentoo.org> wrote:
> > Typically they are launched from a bash profile, or an X11 startup
> > script.  KDE/Gnome look like they have it in their default scripts.
> > Just grep -r gpg-agent /etc and you'll find where it is being loaded
> > if you didn't add them to your own startup scripts in /home.
> 
> Rich,
> 
> Thank you again.  My bash history shows ssh-agent being executed in
> the past, but I'm still not sure where gpg-agent came from.

ssh-agent and gpg-agent are part of ssh and gnupg:

$ qfile /usr/bin/gpg-agent
app-crypt/gnupg (/usr/bin/gpg-agent)

They are usually started by the Desktop Environment startup scripts.

I start gpg-agent using ~/.xsession:
===================================
if [ -x /usr/bin/gpg-agent ]; then
        kill $(ps ux | awk '/gpg-agent/ && !/awk/ {print $2}') >/dev/null 2>&1
fi

if [ -x /usr/bin/gpg-agent ]; then
  eval "$(/usr/bin/gpg-agent --daemon)"
fi
===================================

> > Using gpg-agent is considered a best practice in general, so I
> > wouldn't go getting rid of it unless it is really causing you
> > problems.  You haven't mentioned what issue you're actually having
> > with it/pinentry/etc.
> 
> FYI pinentry frustrates me because:
> 
> 1. pinentry-gtk and pinentry-qt do not allow me to "paste" my
> passphrase.  My passphrase is difficult to type.  I keep my passphrase
> in keepass.
> 
> 2. Supposedly pinentry-curses will let me paste; however,
> pinentry-curses doesn't work.
> https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html
> suggests that my problem is a misconfigured GPG_TTY environment
> variable.  At this point though I'm not even interested in using it
> anymore.

Interesting - I don't seem to have a GPG_TTY environment variable set up 
either:

$ echo $GPG_TTY
$


> At the moment pinentry is no longer installed on my system so these
> "problems" should be gone.  If/when I understand what is going on,
> I'll reinstall them.
> 
> FYI I removed pinentry with:
> 
> tail /etc/portage/package.use
> # 2014-07-05 Avoid pinentry
> dev-vcs/git -gpg
> mail-client/thunderbird -crypt
> 
> tail /etc/portage/package.mask
> # 2014-07-05 Avoid password entry program that disallows paste
> app-crypt/pinentry

I think that the idea of keeping your passphrase in the clipboard is frowned 
upon for security reasons.  Not only because of any potential memory leaks, 
but because you may inadvertently paste it in GUI fields/areas you were not 
meant to:

Only a couple of days ago a friend ended up pasting his passphrase on an IM 
client for all to see, as he was trying to login into a system ...  O_O

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]