| View previous topic :: View next topic |
| Author |
Message |
potuz
Guru
Joined: 30 Jan 2010
Posts: 378
|
 Posted: Tue Dec 16, 2014 1:13 am Post subject: gpg-agent unlock key at login |
 |
|
Hello, I use gpg-agent as a keychain manager. I would like to unlock the keychain when I type my password at the login console. How would I go about it?
Incidentally, in my current set up I launch gpg-agent from ~/.xinitrc and pinentry-gtk prompts for my password twice. Once when it needs a key to decrypt and another time when it needs the key to sign. Is there a way to unlock all keys at once? |
|
| Back to top |
|
 |
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Tue Dec 16, 2014 1:48 am Post subject: |
|
|
potuz ...
by "login console" I assume you mean the console (so, not DM). You could call gpg-agent from your shell login, but its probably simpler to use net-misc/keychain. You would need to edit your shell config (probably .bash_profile), call keychain and source the ~/.keychain/${HOSTNAME}-sh.
best ... khay |
|
| Back to top |
|
|
potuz
Guru
Joined: 30 Jan 2010
Posts: 378
|
| Posted: Tue Dec 16, 2014 2:01 am Post subject: |
|
|
| khayyam wrote: | potuz ...
by "login console" I assume you mean the console (so, not DM).
|
Indeed, no DM, I now automatically login a user and start X from .bashrc. What I'm trying to do is to stop autologin and hopefully use the password that I type at the login prompt (the one that the login program launched by agetty will produce) to not only start my session but also unlock the keychain.
| khayyam wrote: |
You could call gpg-agent from your shell login, but its probably simpler to use net-misc/keychain. You would need to edit your shell config (probably .bash_profile), call keychain and source the ~/.keychain/${HOSTNAME}-sh.
best ... khay |
I haven't seen net-misc/keychain but it simply looks like a wrapper to gpg-agent. I don't understand how changing anything in .bash_profile will allow me to unlock my keychain (or tell gpg-agent to cache the keys in memory) from the login prompt. I thought this should be some form of a PAM module of sorts. |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Tue Dec 16, 2014 12:00 pm Post subject: |
|
|
| potuz wrote: | | khayyam wrote: | | You could call gpg-agent from your shell login, but its probably simpler to use net-misc/keychain. You would need to edit your shell config (probably .bash_profile), call keychain and source the ~/.keychain/${HOSTNAME}-sh. |
I haven't seen net-misc/keychain but it simply looks like a wrapper to gpg-agent. I don't understand how changing anything in .bash_profile will allow me to unlock my keychain (or tell gpg-agent to cache the keys in memory) from the login prompt. I thought this should be some form of a PAM module of sorts. |
potuz ... that wasn't altogether clear. Indeed for a single login and *-agent authentication some pam module is required. I do this for ssh-agent with sys-auth/pam_ssh but I'm not aware of something similar for gpg-agent. In the case of pam_ssh the key is used as the login authenticator, once authenticated ssh-agent is started and SSH_AUTH_SOCK is passed as an environment variable to the shell, subsequently the key can be accessed. In the case of gnupg this probably isn't possible as it uses pinentry for input, so 'login' (and therefore pam) is out of the loop.
best ... khay |
|
| Back to top |
|
|
potuz
Guru
Joined: 30 Jan 2010
Posts: 378
|
| Posted: Tue Dec 16, 2014 1:03 pm Post subject: |
|
|
| Thanks, it seems that a pam module does exist, but I need a wrapper over gpg-agent anyway. I think https://github.com/vodik/envoy does what I want. Specially the issue discussed in https://github.com/vodik/envoy/issues/6 I'll try this at some point, but for now pinentry works for me, just a pity having to type twice my password of 16 characters and symbols. |
|
| Back to top |
|
|
AngelKnight
Tux's lil' helper
Joined: 14 Jan 2003
Posts: 127
|
| Posted: Tue Jan 06, 2015 9:44 am Post subject: |
|
|
(thread necromancy, oops)
If you're not logging in via a DM, what's wrong with Keychain? If I recall correctly there's a perfectly working .ebuild for this stable in the tree. Bonus is that it is designed to manage both ssh and GnuPG keychains and knows how to communicate to both ssh-agent and gpg-agent. |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Tue Jan 06, 2015 7:58 pm Post subject: |
|
|
| AngelKnight wrote: | | If you're not logging in via a DM, what's wrong with Keychain? If I recall correctly there's a perfectly working .ebuild for this stable in the tree. Bonus is that it is designed to manage both ssh and GnuPG keychains and knows how to communicate to both ssh-agent and gpg-agent. |
AngelKnight ... because the OP wants a single login/authentication ... and keychain is subsequent to 'login'. I do this for ssh-agent using sys-auth/pam_ssh, my ssh-key is used as authentication, and once authenticated ssh-agent is setup for my login.
best ... khay |
|
| Back to top |
|
|
|
Networking & Security
