[libvirt] [PATCH] Pass GPG_TTY env var to the ssh binary
This came in via the Debian BTS: http://bugs.debian.org/43863 and it looks good to me.
From 7eeec0664ed2c4986172b67815d2ecf5432d0a40 Mon Sep 17 00:00:00 2001 Message-Id: <7eeec0664ed2c4986172b67815d2ecf5432d0a40.1478956627.git.agx@sigxcpu.org> From: Guilhem Moulin <guilhem@guilhem.org> Date: Thu, 10 Nov 2016 11:17:05 +0100 Subject: [PATCH] Pass GPG_TTY env var to the ssh binary To: libvir-list@redhat.com Status: O Content-Length: 694 Lines: 18
--- src/rpc/virnetsocket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c index 405f5ba..95cda86 100644 --- a/src/rpc/virnetsocket.c +++ b/src/rpc/virnetsocket.c @@ -839,6 +839,7 @@ int virNetSocketNewConnectSSH(const char *nodename, virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL); virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL); virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL); + virCommandAddEnvPassBlockSUID(cmd, "GPG_TTY", NULL); virCommandAddEnvPassBlockSUID(cmd, "DISPLAY", NULL); virCommandAddEnvPassBlockSUID(cmd, "XAUTHORITY", NULL); virCommandClearCaps(cmd); -- 2.10.2
On Sat, 12 Nov 2016 at 14:19:37 +0100, Guido Günther wrote:
This came in via the Debian BTS:
Thanks for forwarding this upstream, Guido!
#843863 actually: http://bugs.debian.org/843863 Cheers, -- Guilhem.
On Sat, Nov 12, 2016 at 02:19:37PM +0100, Guido Günther wrote:
This came in via the Debian BTS:
This seems to be the wrong bug number.
and it looks good to me.
From 7eeec0664ed2c4986172b67815d2ecf5432d0a40 Mon Sep 17 00:00:00 2001 Message-Id: <7eeec0664ed2c4986172b67815d2ecf5432d0a40.1478956627.git.agx@sigxcpu.org> From: Guilhem Moulin <guilhem@guilhem.org> Date: Thu, 10 Nov 2016 11:17:05 +0100 Subject: [PATCH] Pass GPG_TTY env var to the ssh binary To: libvir-list@redhat.com Status: O Content-Length: 694 Lines: 18
--- src/rpc/virnetsocket.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c index 405f5ba..95cda86 100644 --- a/src/rpc/virnetsocket.c +++ b/src/rpc/virnetsocket.c @@ -839,6 +839,7 @@ int virNetSocketNewConnectSSH(const char *nodename, virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL); virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL); virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL); + virCommandAddEnvPassBlockSUID(cmd, "GPG_TTY", NULL); virCommandAddEnvPassBlockSUID(cmd, "DISPLAY", NULL); virCommandAddEnvPassBlockSUID(cmd, "XAUTHORITY", NULL); virCommandClearCaps(cmd);
Can you explain what functional effect a GPG setting has on SSH ?!?!?!? Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
Hi Daniel, On Mon, 14 Nov 2016 at 10:02:55 +0000, Daniel P. Berrange wrote:
On Sat, Nov 12, 2016 at 02:19:37PM +0100, Guido Günther wrote:
This came in via the Debian BTS:
This seems to be the wrong bug number.
Yup, it's #843863 actually: http://bugs.debian.org/843863
Can you explain what functional effect a GPG setting has on SSH ?!?!?!?
Quoting myself from the Debian bug #843863: gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides pubkey-authentication using an authentication-capable OpenPGP key, in addition to the usual identity files). However for a console-based password prompt (such as pinentry-curses) to work, the ‘GPG_TTY’ environment variable needs to be set to the current TTY. Using gpg-agent's ssh-agent implementation is currently not possible for SSH remote URIs, because the environment is cleaned before calling the ssh(1) binary. The enclosed patches adds ‘GPG_TTY’ to the list of environment variables passed to the child. Cheers, -- Guilhem.
On Mon, Nov 14, 2016 at 11:13:22AM +0100, Guilhem Moulin wrote:
Hi Daniel,
On Mon, 14 Nov 2016 at 10:02:55 +0000, Daniel P. Berrange wrote:
On Sat, Nov 12, 2016 at 02:19:37PM +0100, Guido Günther wrote:
This came in via the Debian BTS:
This seems to be the wrong bug number.
Yup, it's #843863 actually: http://bugs.debian.org/843863
Can you explain what functional effect a GPG setting has on SSH ?!?!?!?
Quoting myself from the Debian bug #843863:
gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides pubkey-authentication using an authentication-capable OpenPGP key, in addition to the usual identity files). However for a console-based password prompt (such as pinentry-curses) to work, the ‘GPG_TTY’ environment variable needs to be set to the current TTY.
Using gpg-agent's ssh-agent implementation is currently not possible for SSH remote URIs, because the environment is cleaned before calling the ssh(1) binary. The enclosed patches adds ‘GPG_TTY’ to the list of environment variables passed to the child.
Yeah, I use it as well, without GPG_TTY it fallbacks. We need to pass it together with SSH_AUTH_SOCK and others. From me it's an ACK if you fix the bug number.
Cheers, -- Guilhem.
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Hi Daniel, On Mon, Nov 14, 2016 at 10:02:55AM +0000, Daniel P. Berrange wrote:
On Sat, Nov 12, 2016 at 02:19:37PM +0100, Guido Günther wrote:
This came in via the Debian BTS:
This seems to be the wrong bug number.
I've updated the commit message and added the correct bugnumber as reference. Does this look better: From: Guilhem Moulin <guilhem@guilhem.org> Subject: [PATCH] Pass GPG_TTY env var to the ssh binary gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides pubkey-authentication using an authentication-capable OpenPGP key, in addition to the usual identity files). However for a console-based password prompt (such as pinentry-curses) to work, the ‘GPG_TTY’ environment variable needs to be set to the current TTY. Using gpg-agent's ssh-agent implementation is currently not possible for SSH remote URIs, because the environment is cleaned before calling the ssh(1) binary. The enclosed patches adds ‘GPG_TTY’ to the list of environment variables passed to the child. References: http://bugs.debian.org/843863 --- src/rpc/virnetsocket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c index 325a7c7..8d20074 100644 --- a/src/rpc/virnetsocket.c +++ b/src/rpc/virnetsocket.c @@ -848,6 +848,7 @@ int virNetSocketNewConnectSSH(const char *nodename, virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL); virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL); virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL); + virCommandAddEnvPassBlockSUID(cmd, "GPG_TTY", NULL); virCommandAddEnvPassBlockSUID(cmd, "DISPLAY", NULL); virCommandAddEnvPassBlockSUID(cmd, "XAUTHORITY", NULL); virCommandClearCaps(cmd); -- 2.10.2
And I didn't test this carefully, my apologies :-( Whether gpg-agent can prompt the password depends on the pinentry program in use, but for pinentry-curses this also requires to pass TERM. Patch modified accordingly. From: Guilhem Moulin <guilhem@guilhem.org> Subject: [PATCH] Pass GPG_TTY env var to the ssh binary gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides pubkey-authentication using an authentication-capable OpenPGP key, in addition to the usual identity files). However for a console-based password prompt (such as pinentry-curses) to work, the ‘GPG_TTY’ environment variable needs to be set to the current TTY. Using gpg-agent's ssh-agent implementation is currently not possible for SSH remote URIs, because the environment is cleaned before calling the ssh(1) binary. The enclosed patches adds ‘GPG_TTY’ to the list of environment variables passed to the child. References: http://bugs.debian.org/843863 --- src/rpc/virnetsocket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c index 325a7c7..8d20074 100644 --- a/src/rpc/virnetsocket.c +++ b/src/rpc/virnetsocket.c @@ -839,6 +839,8 @@ int virNetSocketNewConnectSSH(const char *nodename, virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL); virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL); virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL); + virCommandAddEnvPassBlockSUID(cmd, "GPG_TTY", NULL); + virCommandAddEnvPassBlockSUID(cmd, "TERM", NULL); virCommandAddEnvPassBlockSUID(cmd, "DISPLAY", NULL); virCommandAddEnvPassBlockSUID(cmd, "XAUTHORITY", NULL); virCommandClearCaps(cmd); -- Guilhem.
participants (4)
-
Daniel P. Berrange -
Guido Günther -
Guilhem Moulin -
Martin Kletzander