Re: [Monotone-devel] keyring integration from a user POV

[Justin Patrin]

On 4/9/07, Benoît Dejean <address@hidden> wrote:
> Le lundi 09 avril 2007 à 07:52 -0700, Justin Patrin a écrit :
> > On 4/8/07, Benoît Dejean <address@hidden> wrote:
>
> > > > >
> > > > > - Why is it using ssh-agent if it doesn't really need to ? I mean it
> > > > > used to work without by using the hook. On windows where i don't run any
> > > > > ssh-agent, it works as it used to be.
> > >
> > > It seems to me that the password hook and ssh-agent are both trying to
> > > get my key. Maybe it's just a matter of order : 1) hook 2) ssh-agent ?
> > > Is the password hook obsolete ?
> >
> > They're not both "trying to get your key". The signature code (and
> > anywhere else that needs it) is what gets your key.
> >
> > ssh-agent support is supposed to supercede the password hook. It is
> > far more secure than leaving your key password in plaintext on your
> > hard drive. If you use both then you won't ever have to enter your
> > password (as it will be in the hook) and mtn will also add it to
> > ssh-agent. However, this isn't how it's meant to be used.
>
> OK
>
> > >
> > > > > - Who is asking for unlocking my main real ssh key ?
> >
> > To see if ssh-agent has your mtn key in it it has to list the keys
> > that ssh-agent has. It sounds like your agent is unlocking the keys in
> > order to list them. This sounds to me like a bit of a misnomer as
> > listing keys only gets you the public part, not the private part.
>
> I am using OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8e 23 Feb 2007 so i might
> not be the only one to experience the same.

It's your agent asking for the passphrase, not openssh/ssl. If you're
using gnome-keyring, then it's gnome-keyring doing it.

> I am now totally lost. I have dropped the get_passphrase hook and now
> the agent prompts my password on command line ... why ? It should use
> the X prompt as every other application i have (graphical or not)

The *agent* asks on the command-line? Are you adding your key to the
agent manually or letting mtn do it? If you let mtn do it then it's
going to ask on the command-line. If you do it using ssh-add (which is
a command-line program) then it's going to ask on the command-line. If
you use your X-based agent program to add it (gnome-keyring?) then it
will ask however it asks.

> > Actually, if you look closely at the
> > exported key, it doesn't use the same standard format that ssh-keygen
> > exports as. It is readable by ssh-agent but in a different format.
>
> This is why gnome-keyring (and i guess other graphical keyring manager)
> display meaningless ID. It's annoying. Is it a bug in gnome-keyring or
> is mtn abusing ssh-agent ?

Possibly but I don't know. I've never used gnome-keyring and don't
know why it would display a "meaningless" ID. ssh-agent (command-line)
never showed anything meaningless to me, just the ID of my key (i.e.
address@hidden, the name I gave to monotone). mtn is not
abusing the agent, it's sending the ID of the key as the comment. The
only information that can be given about a key, other than the key
itself, is a comment. I figured the name of the key in mtn was a good
comment. We could perhaps prefix with (mtn) or something...

--
Justin Patrin