[Feature Request] Replacing pinentry to with pam_usb #187
Comments
|
I'm not familar with that software. How exactly does it work? I assume it either asks for the password or does get it from PAM like the gnome keyring does? If it takes the password also via CLI/shell we could adopt an approach similar to https://github.com/mcdope/pam_usb/blob/master/tools/pamusb-keyring-unlock-gnome |
|
https://www.gnupg.org/related_software/pinentry/index.html |
|
I cant find any easy searchable documentation there, splitted all over... So I cant really tell if can be done. But if it takes the password via shell then for sure the mentioned approach could be done. If somebody submits a working pull request for that I will for sure merge it, but I don't intent to work on it myself in the foreseeable future. |
mcdope
added
enhancement
|
@mcdope i knwo it has been forever since, but this is where the docs are: https://info2html.sourceforge.net/cgi-bin/info2html-demo/info2html?(pinentry)Protocol The following is a simple script that acts as a pinentry application: #! /bin/python
import sys
import subprocess
a = subprocess.run(["pamusb-check", "dhruva"], capture_output=True)
if (a.returncode == 0):
print("OK Pleased to meet you")
while True:
line = input().split()
if line[0] == "GETPIN":
print("D gpg-pass-here")
elif line[0] == "BYE":
exit()
print("OK")
else:
subprocess.run("/usr/bin/pinentry-gnome3")That said, this is a MAJOR security gap, unless the gpg password can be stored on the usb |
|
Last reply is still current: "If somebody submits a working pull request for that I will for sure merge it, but I don't intent to work on it myself in the foreseeable future." :D Sorry. |
|
I just now realized that your script is pretty much a working PR, except without PR. Sorry for only skimming the script in May. If I get your script correctly it sends the password |
|
No worries, this skipped my view too.
Yes exactly. I have not dug into how GNOME keyring unlock stores the password, so similar security options would need to be set up for this too. |
|
@DhruvaSambrani Looking at it again, how is this supposed to be used? To be called once (at startup/login or like that) to unlock the keys? |
|
We are supposed to provide an alternative pinentry program. Then, a user can change the pinentry program in |
|
Note to myself: check if we can provide it automatically via update-alternatives https://superuser.com/a/1381147
|
|
@DhruvaSambrani There is now a branch / PR with the feature available. See the PR for setup instructions. Would be nice if you could test it somewhen |
|
Hi, the typical way would be to provide |
|
Did you had time to test the PR already? Waiting for your feedback before merging. |
This adds a pinentry application. Requirements: [ ] File `~/.pamusb/.pinentry.env` containing the following: [ ] PINENTRY_PASSWORD=yourGpgKeyPassword [ ] PINENTRY_FALLBACK_APP=/path/to/fallback/pinentry (eg /usr/bin/pinentry-gnome3 or whatever you're using right now) [ ] Configure GPG to use this application by setting it in ~/.gnupg/gpg-agent.conf. To do so add pinentry-program /path/to/pamusb-pinentry
Which version of pam_usb are you running?
master
Which distribution are you using?
Arch Linux
Which login manager and desktop environment are you using?
logind, DWM
What happened?
This is a Question/Feature request.
Is it possible to replace the
pinentryprogram to auto-input the gnu pass password with pam-usb?Output of "pamusb-check --debug
whoami"Output of "w"
Output of "loginctl"
SESSION UID USER SEAT TTY 5 1000 dhruva seat0 tty1 1 sessions listed.The text was updated successfully, but these errors were encountered: