7:19 a.m.
This came in via the Debian BTS:
http://bugs.debian.org/43863
and it looks good to me.
From 7eeec0664ed2c4986172b67815d2ecf5432d0a40 Mon Sep 17 00:00:00 2001
Message-Id:
<7eeec0664ed2c4986172b67815d2ecf5432d0a40.1478956627.git.agx(a)sigxcpu.org>
From: Guilhem Moulin <guilhem(a)guilhem.org>
Date: Thu, 10 Nov 2016 11:17:05 +0100
Subject: [PATCH] Pass GPG_TTY env var to the ssh binary
To: libvir-list(a)redhat.com
Status: O
Content-Length: 694
Lines: 18
---
src/rpc/virnetsocket.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 405f5ba..95cda86 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -839,6 +839,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL);
virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL);
virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL);
+ virCommandAddEnvPassBlockSUID(cmd, "GPG_TTY", NULL);
virCommandAddEnvPassBlockSUID(cmd, "DISPLAY", NULL);
virCommandAddEnvPassBlockSUID(cmd, "XAUTHORITY", NULL);
virCommandClearCaps(cmd);
--
2.10.2
3:18 a.m.
On Sat, 12 Nov 2016 at 14:19:37 +0100, Guido Günther wrote:
This came in via the Debian BTS:
Thanks for forwarding this upstream, Guido!
#843863 actually: http://bugs.debian.org/843863
Cheers,
--
Guilhem.
4:02 a.m.
On Sat, Nov 12, 2016 at 02:19:37PM +0100, Guido Günther wrote:
This came in via the Debian BTS:
http://bugs.debian.org/43863
This seems to be the wrong bug number.
and it looks good to me.
>From 7eeec0664ed2c4986172b67815d2ecf5432d0a40 Mon Sep 17 00:00:00 2001
Message-Id:
<7eeec0664ed2c4986172b67815d2ecf5432d0a40.1478956627.git.agx(a)sigxcpu.org>
From: Guilhem Moulin <guilhem(a)guilhem.org>
Date: Thu, 10 Nov 2016 11:17:05 +0100
Subject: [PATCH] Pass GPG_TTY env var to the ssh binary
To: libvir-list(a)redhat.com
Status: O
Content-Length: 694
Lines: 18
---
src/rpc/virnetsocket.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 405f5ba..95cda86 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -839,6 +839,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL);
virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL);
virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL);
+ virCommandAddEnvPassBlockSUID(cmd, "GPG_TTY", NULL);
virCommandAddEnvPassBlockSUID(cmd, "DISPLAY", NULL);
virCommandAddEnvPassBlockSUID(cmd, "XAUTHORITY", NULL);
virCommandClearCaps(cmd);
Can you explain what functional effect a GPG setting has on SSH ?!?!?!?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
4:13 a.m.
Hi Daniel,
On Mon, 14 Nov 2016 at 10:02:55 +0000, Daniel P. Berrange wrote:
On Sat, Nov 12, 2016 at 02:19:37PM +0100, Guido Günther wrote:
> This came in via the Debian BTS:
>
> http://bugs.debian.org/43863
This seems to be the wrong bug number.
Yup, it's #843863 actually: http://bugs.debian.org/843863
Can you explain what functional effect a GPG setting has on SSH
?!?!?!?
Quoting myself from the Debian bug #843863:
gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides
pubkey-authentication using an authentication-capable OpenPGP key,
in addition to the usual identity files). However for a
console-based password prompt (such as pinentry-curses) to work, the
‘GPG_TTY’ environment variable needs to be set to the current TTY.
Using gpg-agent's ssh-agent implementation is currently not possible
for SSH remote URIs, because the environment is cleaned before
calling the ssh(1) binary. The enclosed patches adds ‘GPG_TTY’ to
the list of environment variables passed to the child.
Cheers,
--
Guilhem.
9:22 a.m.
On Mon, Nov 14, 2016 at 11:13:22AM +0100, Guilhem Moulin wrote:
Hi Daniel,
On Mon, 14 Nov 2016 at 10:02:55 +0000, Daniel P. Berrange wrote:
> On Sat, Nov 12, 2016 at 02:19:37PM +0100, Guido Günther wrote:
>> This came in via the Debian BTS:
>>
>> http://bugs.debian.org/43863
>
> This seems to be the wrong bug number.
Yup, it's #843863 actually: http://bugs.debian.org/843863
> Can you explain what functional effect a GPG setting has on SSH ?!?!?!?
Quoting myself from the Debian bug #843863:
gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides
pubkey-authentication using an authentication-capable OpenPGP key,
in addition to the usual identity files). However for a
console-based password prompt (such as pinentry-curses) to work, the
‘GPG_TTY’ environment variable needs to be set to the current TTY.
Using gpg-agent's ssh-agent implementation is currently not possible
for SSH remote URIs, because the environment is cleaned before
calling the ssh(1) binary. The enclosed patches adds ‘GPG_TTY’ to
the list of environment variables passed to the child.
Yeah, I use it as well, without GPG_TTY it fallbacks. We need to pass
it together with SSH_AUTH_SOCK and others.
From me it's an ACK if you fix the bug number.
Cheers,
--
Guilhem.
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
8:29 a.m.
Hi Daniel,
On Mon, Nov 14, 2016 at 10:02:55AM +0000, Daniel P. Berrange wrote:
On Sat, Nov 12, 2016 at 02:19:37PM +0100, Guido Günther wrote:
> This came in via the Debian BTS:
>
> http://bugs.debian.org/43863
This seems to be the wrong bug number.
I've updated the commit message and added the correct bugnumber as
reference. Does this look better:
From: Guilhem Moulin <guilhem(a)guilhem.org>
Subject: [PATCH] Pass GPG_TTY env var to the ssh binary
gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides
pubkey-authentication using an authentication-capable OpenPGP key, in
addition to the usual identity files). However for a console-based
password prompt (such as pinentry-curses) to work, the ‘GPG_TTY’
environment variable needs to be set to the current TTY.
Using gpg-agent's ssh-agent implementation is currently not possible for
SSH remote URIs, because the environment is cleaned before calling the
ssh(1) binary. The enclosed patches adds ‘GPG_TTY’ to the list of
environment variables passed to the child.
References: http://bugs.debian.org/843863
---
src/rpc/virnetsocket.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 325a7c7..8d20074 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -848,6 +848,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL);
virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL);
virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL);
+ virCommandAddEnvPassBlockSUID(cmd, "GPG_TTY", NULL);
virCommandAddEnvPassBlockSUID(cmd, "DISPLAY", NULL);
virCommandAddEnvPassBlockSUID(cmd, "XAUTHORITY", NULL);
virCommandClearCaps(cmd);
--
2.10.2
10:57 a.m.
And I didn't test this carefully, my apologies :-( Whether gpg-agent
can prompt the password depends on the pinentry program in use, but for
pinentry-curses this also requires to pass TERM. Patch modified
accordingly.
From: Guilhem Moulin <guilhem(a)guilhem.org>
Subject: [PATCH] Pass GPG_TTY env var to the ssh binary
gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides
pubkey-authentication using an authentication-capable OpenPGP key, in
addition to the usual identity files). However for a console-based
password prompt (such as pinentry-curses) to work, the ‘GPG_TTY’
environment variable needs to be set to the current TTY.
Using gpg-agent's ssh-agent implementation is currently not possible for
SSH remote URIs, because the environment is cleaned before calling the
ssh(1) binary. The enclosed patches adds ‘GPG_TTY’ to the list of
environment variables passed to the child.
References: http://bugs.debian.org/843863
---
src/rpc/virnetsocket.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 325a7c7..8d20074 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -839,6 +839,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL);
virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL);
virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL);
+ virCommandAddEnvPassBlockSUID(cmd, "GPG_TTY", NULL);
+ virCommandAddEnvPassBlockSUID(cmd, "TERM", NULL);
virCommandAddEnvPassBlockSUID(cmd, "DISPLAY", NULL);
virCommandAddEnvPassBlockSUID(cmd, "XAUTHORITY", NULL);
virCommandClearCaps(cmd);
--
Guilhem.
2919
days inactive
2932
days old
6 comments
4 participants
participants (4)
-
Daniel P. Berrange -
Guido Günther -
Guilhem Moulin -
Martin Kletzander