[gentoo-user] How does ssh know to use "pinentry"?

[gentoo-user] How does ssh know to use "pinentry"?

[Chris Stankevitz]

I am trying to ssh into a site using PKI.  I have a private key in my
.ssh directory that requires a passphrase.

ssh is asking me for my passphrase using a terrible program called
"pinentry".  It's terrible for a bunch of reasons, and if you are
interested you can just google "pinentry sucks".

pinentry is on my system because it is a dependency of gpg.  gpg is on
my system because I use thunderbird with +crypt (which is the
default).

Question:

By what mechanism does ssh know to use the program "pinentry" to
acquire my passphrase?

Thank you,

Chris

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Rich Freeman]

On Sat, Jul 5, 2014 at 9:41 PM, Chris Stankevitz
<chrisstankevitz@gmail.com> wrote:
>
> ssh is asking me for my passphrase using a terrible program called
> "pinentry".  It's terrible for a bunch of reasons, and if you are
> interested you can just google "pinentry sucks".
>

Probably more a case of "X11 sucks."  Historically password entry into
X11 windows has always been problematic, because in general any client
connected to an X server can evesdrop on data entered into any other
window on the server.  That is especially problematic when you
remember that X was supposed to work on a network.  It isn't as bad on
your typical desktop setup, but applications like pinentry are often
designed with the network scenario in mind.

Imagine that you're on an X terminal at work.  You have clients
connected to your terminal from 47 different servers that you
administer.  Maybe you have firefox open from a workstation you
administer at customer A who is having firewall issues and you're
trying to get a sense of what things look like from inside.  Perhaps
you have a mail client open on customer B's server.  You punch in your
password for customer B so that the mail client can retrieve your mail
there, and now the trojaned firefox at customer A has your password
credentials for customer B.  So, you have things like the feature in
xterm which captures all keyboard input so that you can enter a
password securely, but it probably breaks things like copy/paste and
you have to toggle it on/off since while it is on no other window on
your server can listen to the keyboard.

This wasn't really how X11 ended up being used, but back in the day it
was how it was designed to work.  Well, except for the part where X11
is crippled when you have more than a few milliseconds in latency, so
nobody runs clients on remote servers.  But, you still get all the
baggage.

I'm not familiar with the internals of pinentry, but this probably why
you're frustrated with it.

In any case, I suspect that gpg-agent is actually serving passwords to
openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably
contains the line "pinentry-program /usr/bin/pinentry".  If you trust
all your X clients you can set the option no-grab in the file which
will probably allow copy/paste/etc to work with the entry window.

Rich

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Chris Stankevitz]

On Sat, Jul 5, 2014 at 7:57 PM, Rich Freeman <rich0@gentoo.org> wrote:
> In any case, I suspect that gpg-agent is actually serving passwords to
> openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably
> contains the line "pinentry-program /usr/bin/pinentry".  If you trust
> all your X clients you can set the option no-grab in the file which
> will probably allow copy/paste/etc to work with the entry window.

Rich,

Thank you, I will give that a shot.  FYI I discovered:

declare -x GPG_AGENT_INFO="/tmp/gpg-2uVMfE/S.gpg-agent:26095:1"

When I unset this env variable, ssh stopped trying to use pinentry to
acquire my passphrase.  However, I still do not understand how that
variable got set or how/why ssh behaves differently when it is set.

Chris

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Rich Freeman]

On Sat, Jul 5, 2014 at 11:42 PM, Chris Stankevitz
<chrisstankevitz@gmail.com> wrote:
> On Sat, Jul 5, 2014 at 7:57 PM, Rich Freeman <rich0@gentoo.org> wrote:
>> In any case, I suspect that gpg-agent is actually serving passwords to
>> openssh, so the file you want is ~/.gnupg/gpg-agent.conf - it probably
>> contains the line "pinentry-program /usr/bin/pinentry".  If you trust
>> all your X clients you can set the option no-grab in the file which
>> will probably allow copy/paste/etc to work with the entry window.
>
> Rich,
>
> Thank you, I will give that a shot.  FYI I discovered:
>
> declare -x GPG_AGENT_INFO="/tmp/gpg-2uVMfE/S.gpg-agent:26095:1"
>
> When I unset this env variable, ssh stopped trying to use pinentry to
> acquire my passphrase.  However, I still do not understand how that
> variable got set or how/why ssh behaves differently when it is set.

You might want to read up on ssh-agent/gpg-agent in general to
understand what its for.

The short version is that these programs are designed to cache the
password for your ssh/gpg private keys so that if you repeatedly use
gpg or ssh you don't have to type it every time.  If an agent isn't
running ssh/gpg will just prompt for a key each time, and forget it
when the program terminates.  If the agent is running then this
environment variable is used to communicate that to ssh/gpg and then
the program asks the agent for the key, and it prompts you to enter it
if it isn't cached.

They are designed to be secure (run in locked memory, etc).

Typically they are launched from a bash profile, or an X11 startup
script.  KDE/Gnome look like they have it in their default scripts.
Just grep -r gpg-agent /etc and you'll find where it is being loaded
if you didn't add them to your own startup scripts in /home.

Using gpg-agent is considered a best practice in general, so I
wouldn't go getting rid of it unless it is really causing you
problems.  You haven't mentioned what issue you're actually having
with it/pinentry/etc.

Rich

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Chris Stankevitz]

On Sun, Jul 6, 2014 at 3:25 AM, Rich Freeman <rich0@gentoo.org> wrote:
> Typically they are launched from a bash profile, or an X11 startup
> script.  KDE/Gnome look like they have it in their default scripts.
> Just grep -r gpg-agent /etc and you'll find where it is being loaded
> if you didn't add them to your own startup scripts in /home.

Rich,

Thank you again.  My bash history shows ssh-agent being executed in
the past, but I'm still not sure where gpg-agent came from.

> Using gpg-agent is considered a best practice in general, so I
> wouldn't go getting rid of it unless it is really causing you
> problems.  You haven't mentioned what issue you're actually having
> with it/pinentry/etc.

FYI pinentry frustrates me because:

1. pinentry-gtk and pinentry-qt do not allow me to "paste" my
passphrase.  My passphrase is difficult to type.  I keep my passphrase
in keepass.

2. Supposedly pinentry-curses will let me paste; however,
pinentry-curses doesn't work.
https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html
suggests that my problem is a misconfigured GPG_TTY environment
variable.  At this point though I'm not even interested in using it
anymore.

At the moment pinentry is no longer installed on my system so these
"problems" should be gone.  If/when I understand what is going on,
I'll reinstall them.

FYI I removed pinentry with:

tail /etc/portage/package.use
# 2014-07-05 Avoid pinentry
dev-vcs/git -gpg
mail-client/thunderbird -crypt

tail /etc/portage/package.mask
# 2014-07-05 Avoid password entry program that disallows paste
app-crypt/pinentry

Chris

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2821 bytes --]

On Sunday 06 Jul 2014 16:29:03 Chris Stankevitz wrote:
> On Sun, Jul 6, 2014 at 3:25 AM, Rich Freeman <rich0@gentoo.org> wrote:
> > Typically they are launched from a bash profile, or an X11 startup
> > script.  KDE/Gnome look like they have it in their default scripts.
> > Just grep -r gpg-agent /etc and you'll find where it is being loaded
> > if you didn't add them to your own startup scripts in /home.
> 
> Rich,
> 
> Thank you again.  My bash history shows ssh-agent being executed in
> the past, but I'm still not sure where gpg-agent came from.

ssh-agent and gpg-agent are part of ssh and gnupg:

$ qfile /usr/bin/gpg-agent
app-crypt/gnupg (/usr/bin/gpg-agent)

They are usually started by the Desktop Environment startup scripts.

I start gpg-agent using ~/.xsession:
===================================
if [ -x /usr/bin/gpg-agent ]; then
        kill $(ps ux | awk '/gpg-agent/ && !/awk/ {print $2}') >/dev/null 2>&1
fi

if [ -x /usr/bin/gpg-agent ]; then
  eval "$(/usr/bin/gpg-agent --daemon)"
fi
===================================

> > Using gpg-agent is considered a best practice in general, so I
> > wouldn't go getting rid of it unless it is really causing you
> > problems.  You haven't mentioned what issue you're actually having
> > with it/pinentry/etc.
> 
> FYI pinentry frustrates me because:
> 
> 1. pinentry-gtk and pinentry-qt do not allow me to "paste" my
> passphrase.  My passphrase is difficult to type.  I keep my passphrase
> in keepass.
> 
> 2. Supposedly pinentry-curses will let me paste; however,
> pinentry-curses doesn't work.
> https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html
> suggests that my problem is a misconfigured GPG_TTY environment
> variable.  At this point though I'm not even interested in using it
> anymore.

Interesting - I don't seem to have a GPG_TTY environment variable set up 
either:

$ echo $GPG_TTY
$


> At the moment pinentry is no longer installed on my system so these
> "problems" should be gone.  If/when I understand what is going on,
> I'll reinstall them.
> 
> FYI I removed pinentry with:
> 
> tail /etc/portage/package.use
> # 2014-07-05 Avoid pinentry
> dev-vcs/git -gpg
> mail-client/thunderbird -crypt
> 
> tail /etc/portage/package.mask
> # 2014-07-05 Avoid password entry program that disallows paste
> app-crypt/pinentry

I think that the idea of keeping your passphrase in the clipboard is frowned 
upon for security reasons.  Not only because of any potential memory leaks, 
but because you may inadvertently paste it in GUI fields/areas you were not 
meant to:

Only a couple of days ago a friend ended up pasting his passphrase on an IM 
client for all to see, as he was trying to login into a system ...  O_O

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Alan McKinnon]

On 06/07/2014 03:41, Chris Stankevitz wrote:
> I am trying to ssh into a site using PKI.  I have a private key in my
> .ssh directory that requires a passphrase.
> 
> ssh is asking me for my passphrase using a terrible program called
> "pinentry".  It's terrible for a bunch of reasons, and if you are
> interested you can just google "pinentry sucks".
> 
> pinentry is on my system because it is a dependency of gpg.  gpg is on
> my system because I use thunderbird with +crypt (which is the
> default).
> 
> Question:
> 
> By what mechanism does ssh know to use the program "pinentry" to
> acquire my passphrase?



Why not do the obvious thing instead?

Run keychain and have it unlock your keys *once* when the workstation
boots up. ssh then always uses that key as it is unlocked.

I also have pinentry here, for the same reasons you do, and keychain
renders it never needing to run


-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Chris Stankevitz]

On Sun, Jul 6, 2014 at 12:09 PM, Mick <michaelkintzios@gmail.com> wrote:
> I think that the idea of keeping your passphrase in the clipboard is frowned
> upon for security reasons.  Not only because of any potential memory leaks,
> but because you may inadvertently paste it in GUI fields/areas you were not
> meant to

Mick,

Thank you.  I too have been concerned about this.  I've also been
concerned about "memory leaks".  FYI one cute feature of keepass is
that it clears the clipboard 20 seconds after you copy your password
to it.  Today (2014) I am choosing to use the clipboard/keepass to
manage complex/unique passwords.  Perhaps in the future (2015)
everybody will support something like the Yubikey HW OTP... in which
case it won't matter if everyone sees my password!

Chris

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Chris Stankevitz]

On Sun, Jul 6, 2014 at 1:32 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> Why not do the obvious thing instead?
>
> Run keychain and have it unlock your keys *once* when the workstation
> boots up. ssh then always uses that key as it is unlocked.

Alan,

Thank you.  FYI, I do not have a problem typing my password 100 times
per day.  The only problem I have with "pinentry" is that it doesn't
let me paste.  Does keychain allow me to paste?  If so, I'll consider
it.  However, now that I have killed pinentry from my system I am
happily pasting my passphrase into the ssh console.

On another note, from my OP, I am still curious how the ssh software
knows to use /usr/bin/pinentry to fetch my passphrase.  In a follow-up
post, I discovered that this mechanism only works if an environment
variable called GPG_AGENT_INFO is set.  I doubt the ssh source code
contains the string "/usr/bin/pinentry" or "GPG_AGENT_INFO".

Chris

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Rich Freeman]

On Sun, Jul 6, 2014 at 8:40 PM, Chris Stankevitz
<chrisstankevitz@gmail.com> wrote:
>
> On another note, from my OP, I am still curious how the ssh software
> knows to use /usr/bin/pinentry to fetch my passphrase.  In a follow-up
> post, I discovered that this mechanism only works if an environment
> variable called GPG_AGENT_INFO is set.  I doubt the ssh source code
> contains the string "/usr/bin/pinentry" or "GPG_AGENT_INFO".

GPG_AGENT_INFO tells ssh to use gpg-agent.  ~/.gnupg/gpg-agent.conf
tells gpg-agent to use pinentry.

Rich

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Chris Stankevitz]

On Sun, Jul 6, 2014 at 5:45 PM, Rich Freeman <rich0@gentoo.org> wrote:
> GPG_AGENT_INFO tells ssh to use gpg-agent.

Hi Rich,

Are you saying that the ssh software checks for the presence of the
GPG_AGENT_INFO environment variable?  It find it odd that ssh
hard-code the names of all possible agents.  Also, I thought the ssh
folks were BSD-friendly and GPG was GPL-friendly.

Thanks,

Chris

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Rich Freeman]

On Sun, Jul 6, 2014 at 9:18 PM, Chris Stankevitz
<chrisstankevitz@gmail.com> wrote:
> On Sun, Jul 6, 2014 at 5:45 PM, Rich Freeman <rich0@gentoo.org> wrote:
>> GPG_AGENT_INFO tells ssh to use gpg-agent.
>
> Are you saying that the ssh software checks for the presence of the
> GPG_AGENT_INFO environment variable?

Actually, I'm probably wrong on that.  In ssh agent mode I think that
gpg-agent also exports SSH_AUTH_SOCKET or something like that and
emulates ssh-agent, in addition to exporting GPG_AGENT_INFO.

If somebody knows the details feel free to post.  For the most part
most desktop environments configure it to "just work."

Rich

Re: [gentoo-user] How does ssh know to use "pinentry"?

[Alan McKinnon]

On 07/07/2014 02:40, Chris Stankevitz wrote:
> On Sun, Jul 6, 2014 at 1:32 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>> Why not do the obvious thing instead?
>>
>> Run keychain and have it unlock your keys *once* when the workstation
>> boots up. ssh then always uses that key as it is unlocked.
> 
> Alan,
> 
> Thank you.  FYI, I do not have a problem typing my password 100 times
> per day.  The only problem I have with "pinentry" is that it doesn't
> let me paste.  Does keychain allow me to paste?  If so, I'll consider
> it.  However, now that I have killed pinentry from my system I am
> happily pasting my passphrase into the ssh console.

keychain is a regular terminal app, so paste will always work.

On a side note, I always recommend people use a key agent unless there
is absolutely no need for one:

- typing the same passphrase repeatedly becomes tedious
- the largest attack surface for passwords is not cryptographic
weaknesses, it's over-the-shoulder attacks (aka shoulder surfing or
monitor whoring). It's when people watch what you type over your
shoulder, and after entering it for the fifth time most folks stop
making sure everyone else in the room is looking away

> On another note, from my OP, I am still curious how the ssh software
> knows to use /usr/bin/pinentry to fetch my passphrase.  In a follow-up
> post, I discovered that this mechanism only works if an environment
> variable called GPG_AGENT_INFO is set.  I doubt the ssh source code
> contains the string "/usr/bin/pinentry" or "GPG_AGENT_INFO".

I'm not sure how that stuff works (I suspect the presence of magic) :-)

I really should read up more about it, considering what kind of software
it is.


-- 
Alan McKinnon
alan.mckinnon@gmail.com