From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9F0C113877A for ; Sun, 6 Jul 2014 02:57:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C3BB9E08A1; Sun, 6 Jul 2014 02:57:13 +0000 (UTC) Received: from mail-ve0-f196.google.com (mail-ve0-f196.google.com [209.85.128.196]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C1985E088F for ; Sun, 6 Jul 2014 02:57:12 +0000 (UTC) Received: by mail-ve0-f196.google.com with SMTP id oy12so868034veb.11 for ; Sat, 05 Jul 2014 19:57:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=CGMA9EMW5+meJeDudgPVNs5pvLptWxKhwKq1B7V0aTw=; b=U1bmond1KaWTp8gZdJ44/xS+sJgZhBgtwzB0qUXjTGKl0yvL6J9T5+ixNOwhuNv38I Y+Gk2vtTYaYJfEpx+o8DY8AIgUsjDia3bj8CPn2/MLbBlydmhgMsmXyIaSVFE6DrMXxe aZu+85b+IX2di0k6GbxS2A30m8CJFy1VQzFe2+R6A+HLEJ3uDVPR2oy40+9BlMP+LJH2 7qKIaZtrOBLgm49VKQVJCrZCsctKSk1MfV6ofAHc/6U+lNfPtMbVA83Uo4T8jE71rSP+ rORXrMyown3WYFOVhQ9ICPFhGne9z8KPFwAI8iI7ktR9/HZ6z1p1BdkMQMFcqWLST7ER F7jA== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.52.30.9 with SMTP id o9mr15684589vdh.15.1404615431346; Sat, 05 Jul 2014 19:57:11 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.52.72.19 with HTTP; Sat, 5 Jul 2014 19:57:11 -0700 (PDT) In-Reply-To: References: Date: Sat, 5 Jul 2014 22:57:11 -0400 X-Google-Sender-Auth: Kfxf4HZ1nxYg_Qh9UWXSs6KGG_E Message-ID: Subject: Re: [gentoo-user] How does ssh know to use "pinentry"? From: Rich Freeman To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: 6a77d577-b089-48f5-9aeb-a266925c0f75 X-Archives-Hash: 399abdbe69069ed02025156766bdf8b0 On Sat, Jul 5, 2014 at 9:41 PM, Chris Stankevitz wrote: > > ssh is asking me for my passphrase using a terrible program called > "pinentry". It's terrible for a bunch of reasons, and if you are > interested you can just google "pinentry sucks". > Probably more a case of "X11 sucks." Historically password entry into X11 windows has always been problematic, because in general any client connected to an X server can evesdrop on data entered into any other window on the server. That is especially problematic when you remember that X was supposed to work on a network. It isn't as bad on your typical desktop setup, but applications like pinentry are often designed with the network scenario in mind. Imagine that you're on an X terminal at work. You have clients connected to your terminal from 47 different servers that you administer. Maybe you have firefox open from a workstation you administer at customer A who is having firewall issues and you're trying to get a sense of what things look like from inside. Perhaps you have a mail client open on customer B's server. You punch in your password for customer B so that the mail client can retrieve your mail there, and now the trojaned firefox at customer A has your password credentials for customer B. So, you have things like the feature in xterm which captures all keyboard input so that you can enter a password securely, but it probably breaks things like copy/paste and you have to toggle it on/off since while it is on no other window on your server can listen to the keyboard. This wasn't really how X11 ended up being used, but back in the day it was how it was designed to work. Well, except for the part where X11 is crippled when you have more than a few milliseconds in latency, so nobody runs clients on remote servers. But, you still get all the baggage. I'm not familiar with the internals of pinentry, but this probably why you're frustrated with it. In any case, I suspect that gpg-agent is actually serving passwords to openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably contains the line "pinentry-program /usr/bin/pinentry". If you trust all your X clients you can set the option no-grab in the file which will probably allow copy/paste/etc to work with the entry window. Rich