Re: [Monotone-devel] keyring integration from a user POV

[Justin Patrin]

On 4/13/07, Benoît Dejean <address@hidden> wrote:
> Le mardi 10 avril 2007 à 09:45 -0700, Justin Patrin a écrit :
> > On 4/9/07, Benoît Dejean <address@hidden> wrote:
> > > Le lundi 09 avril 2007 à 14:40 -0700, Justin Patrin a écrit :
> > > > On 4/9/07, Benoît Dejean <address@hidden> wrote:
> > >
> > > > >
> > > > > > If you do it using ssh-add (which is
> > > > > > a command-line program) then it's going to ask on the command-line.
> > > > >
> > > > > No. Graphical GTK+.
> > > > > ssh-add -l pops up graphical prompt on first use.
> > > >
> > > > No, ssh-add is not popping up a graphical prompt. gnome-keyring is.
> > > > There's a chain of processes here at work.
> > > > * ssh-add -l is asking for a list of keys from the agent
> > > > * ssh-agent looks for its list of keys
> > >
> > > (Do you think i should fill a bug against ssh-agent because it tries to
> > > unlock my keys just to list them ?)
> >
> > I'm not sure. I would think you'd normally have your keys unlocked
> > when logged in....do you lock them after a certain amount of time? Any
> > program that needs to use your keys would likely cause them to unlock.
> > Don't you have to enter your password when you ssh as well?
>
> I am concerned about having to unlock all my keys on startup where is
> would prefer to unlock them on first use.

Well, monotone can't know what key to use or if your key is in
ssh-agent until it lists the keys....or perhaps I could construct the
public part and send it to ssh-agent and watch for an error...that's
an interesting possibility, I'll try to take a look at it.

> > >
> > > > * seahorse-agent notices that you want to look at the key and asks
> > > > gnome-keyring for the password to decrypt it so that it can be added
> > > > to the agent
> > > > * gnome-password asks for your master passphrase to unlock your key
> > > > passphrase (or just asks for your passphrase for the key depending on
> > > > how you have it set up)
> > > >
> > > > Then back the other way
> > > >
> > > > * gnome-password passes the passphrase back to seahorse-agent
> > > > * seahorse-agent uses the passphrase to decrypt your key and pass it
> > > > to ssh-agent
> > > > * ssh-agent adds the key to its in-memory keystore and passes the list
> > > > of keys to ssh-add
> > > > * ssh-add lists your keys
> > > >
> > > > Or something close to that anyway. mtn uses ssh-agent, not
> > > > gnome-keychain or seahorse-agent so it asks for the passphrase itself.
> > >
> > > Hum OK. Somthing is really inconsistent here because "ssh-add -l" uses a
> > > graphical prompt where "ssh-add key" doesn't. Or maybe i don't
> > > understand. I have to reread this thread.
> >
> > It's not inconsistent. It makes perfect sense, in fact. ssh-add -l is
> > only listing keys so ssh-agent and hence seahorse and gnome-keychain
> > are the ones loading the keys and causing the prompts. When you
> > ssh-add key ssh-add is the one loading the key and hence needs your
> > password.
>
> OK
>
>
> > >
> > > I have tried to import my mtn.key in seahorse but the key fails to load
> > > "file:///home/monotone/mtn_benoit
> > > 0x7f7f7f7flacenet.org.key: Invalid file format"
> > >
> >
> > Sounds like seahorse doesn't support all of the key formats that
> > ssh-agent/add does. I had to patch SSHKeychain to make it allow
> > importing of this format.
>
> Have you forwarded this patch upstream ?

Yes but I got no response, IIRC. The patch is also on the monotone wiki:
http://www.venge.net/mtn-wiki/MonotoneAndSSHAgent

--
Justin Patrin