Re: [gentoo-user] How does ssh know to use "pinentry"?

[Rich Freeman <rich0@gentoo.org>]

On Sat, Jul 5, 2014 at 9:41 PM, Chris Stankevitz
<chrisstankevitz@gmail.com> wrote:
>
> ssh is asking me for my passphrase using a terrible program called
> "pinentry".  It's terrible for a bunch of reasons, and if you are
> interested you can just google "pinentry sucks".
>

Probably more a case of "X11 sucks."  Historically password entry into
X11 windows has always been problematic, because in general any client
connected to an X server can evesdrop on data entered into any other
window on the server.  That is especially problematic when you
remember that X was supposed to work on a network.  It isn't as bad on
your typical desktop setup, but applications like pinentry are often
designed with the network scenario in mind.

Imagine that you're on an X terminal at work.  You have clients
connected to your terminal from 47 different servers that you
administer.  Maybe you have firefox open from a workstation you
administer at customer A who is having firewall issues and you're
trying to get a sense of what things look like from inside.  Perhaps
you have a mail client open on customer B's server.  You punch in your
password for customer B so that the mail client can retrieve your mail
there, and now the trojaned firefox at customer A has your password
credentials for customer B.  So, you have things like the feature in
xterm which captures all keyboard input so that you can enter a
password securely, but it probably breaks things like copy/paste and
you have to toggle it on/off since while it is on no other window on
your server can listen to the keyboard.

This wasn't really how X11 ended up being used, but back in the day it
was how it was designed to work.  Well, except for the part where X11
is crippled when you have more than a few milliseconds in latency, so
nobody runs clients on remote servers.  But, you still get all the
baggage.

I'm not familiar with the internals of pinentry, but this probably why
you're frustrated with it.

In any case, I suspect that gpg-agent is actually serving passwords to
openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably
contains the line "pinentry-program /usr/bin/pinentry".  If you trust
all your X clients you can set the option no-grab in the file which
will probably allow copy/paste/etc to work with the entry window.

Rich