Skip to content

More ssh-add & gnome-keyring.

August 30, 2007

I’ve updated my gnome-keyring SSH_ASKPASS program to improve the user experience. However to get this 100% I need some changes to ssh-add so that there is a stable interface between it and the SSH_ASKPASS program.

The new version will read the environment variable GNOME_KEY_ASKPASS and if that is an executable and gnome-keyring needs to prompt for a pass phrase it will use that program to do the prompt, reading the pass phrase from standard out of that program, in the same way that SSH_ASKPASS does for ssh-add. It will then store that pass phrase in the keyring and output that to standard output for ssh-add.

So to use this I have this in my .dtprofile file:

: FSS 184 $; tail  -11 ~/.dtprofile if whence gnome-keyring > /dev/null then         export SSH_ASKPASS=gnome-keyring         if  whence xsshaskpass > /dev/null         then                 export GNOME_KEY_ASKPASS=xsshaskpass         fi elif whence xsshaskpass > /dev/null then         export SSH_ASKPASS=xsshaskpass fi : FSS 185 $; 

Then of course you need the xsshaskpass program. This just pops up a window and prompts the user to enter the key. There are lots of these around and I’ve always wondered why solaris does not have one (if it does let me know). Since they are trivially simple to write I guess it is just another way of making Solaris a little bit more elite. Here is my solution to this. Save it as xsshaskpass somewhere in your path and make it executable:

#!/usr/bin/ksh -p #\ if [[ -x /usr/bin/wish ]]  ; then # \         exec /usr/bin/wish -f "$0" ${1+"$@"}  #\ elif [[ -x /usr/sfw/bin/wish8.3 ]]  ; then # \         exec /usr/sfw/bin/wish8.3 -f "$0" ${1+"$@"} ; else # \         exec wish -f "$0" ${1+"$@"} ; fi . config -borderwidth 10 label .l -text "[lindex $argv 0]" entry .e -width 30 -show {*} frame .buts button .buts.doit -text o.k. -command { puts [.e get ] ; exit 0} button .buts.quit -text quit -command { exit 0} pack .buts.doit .buts.quit -side left pack .l .e .buts tkwait window . exit 0

The nice thing about this is that this is all you have to do to set this up and could be set up by the administrator. When ssh-add first runs when you login it will prompt you twice (see below) for your pass phrase and that then gets stored in the gnome-keyring. Assuming you entered the correct pass phrase then that is it. You never have to enter your ssh pass phrase again.

However since there is no way for the gnome-keyring program to know if the pass phrase that is read from the user is good it can end up storing a bad pass phrase in the keyring. To minimize this risk it prompts the user twice for the pass phrase until the user enters the same phrase twice. Once a bad pass phrase is in the keyring you have to use gnome-keyring-manager to delete it. Unfortunately all the gnome-keyring program has to go on when a bad passphrase is found is that is called with the arguments “Bad passphrase, try again: " which does not tell the program which key is bad. There are various hacks that could be performed to work around this but I’m coming to the conclusion the simplest would be to modify ssh-add to have it put the name of the file for which it is prompting into the environment of the SSH_ASKPASS program and hence the gnome-keyring program so that it can be read from there. With that in place it would not matter if a bad pass phrase was stored in the keyring since when the user eventually gets the pass phrase right it would still be stored.


From → Solaris

One Comment
  1. Hi Chris,<br/>
    Slightly related is that gdm/PAM can be configured to automatically unlock a user’s gnome-keyring iff the PAM password and gnome-keyring password match.<br/> has the scoop 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: