| View previous topic :: View next topic |
| Author |
Message |
nephron
n00b
Joined: 18 Oct 2007
Posts: 66
|
 Posted: Fri May 02, 2014 6:48 pm Post subject: genkernel: LUKS+GPG+SSH @ initramfs |
 |
|
Hi Folks..
I am trying to use https://github.com/ebast/genkernel/commit/319512ba55af7a0e875972173cc92563b6ce5b37.patch
Looks like its widely compatible with 3.4.49.. So long - everything seems fine..
But i have a very strange problem with the pinentry of gpg inside the ssh-session - /dev/pts/0 is the used terminal but the pinentry always goes to /dev/tty0 and is waiting there for user-input.
Someone here interessted in testing this stuff and having a look for the gap in here?
greetings |
|
| Back to top |
|
 |
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Fri May 02, 2014 8:32 pm Post subject: Re: genkernel: LUKS+GPG+SSH @ initramfs |
|
|
| nephron wrote: | | [...] i have a very strange problem with the pinentry of gpg inside the ssh-session - /dev/pts/0 is the used terminal but the pinentry always goes to /dev/tty0 and is waiting there for user-input. |
nephron ... you need to put "GPG_TTY=$(tty)" in whatever shell inititalisation file is called for interactive shells (so for example ~/.bashrc ... don't use ~/.bash_profile as its generally only invoked for login shells).
... or revert to app-crypt/gnupg-1.4.16 (see here) to get rid of pinentry entirely and use the old input method.
HTH & best ... khay |
|
| Back to top |
|
|
nephron
n00b
Joined: 18 Oct 2007
Posts: 66
|
| Posted: Sat May 03, 2014 1:12 pm Post subject: |
|
|
Sorry for my inaccuracy...  So some facts below:
| Code: |
# gpg --version
gpg (GnuPG) 1.4.11
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB
#
|
AFAIK - genkernel is using gnupg-1.4.X by default to simplify things - e.g. gnupg-agent and pinentry stuff ..
I''ve already tried to fix this issue by setting GPG_TTY=$(tty):
| Code: |
# tty
/dev/pts/0
# env
USER=root
HOME=/root
SSH_TTY=/dev/pts/0
LOGNAME=root
TERM=rxvt-unicode
PATH=/usr/sbin:/usr/bin:/sbin:/bin
SHELL=/bin/login-remote.sh
PWD=/root
GPG_TTY=/dev/pts/0
SSH_CONNECTION=10.111.222.104 51682 10.111.222.23 22
|
I remember reading some stuff regarding the black-magic of /dev/tty - which (please correct me if i am wrong) always points to the used terminal like /dev/pts/0 - and thats it:
| Code: |
# echo test > /dev/pts/0
test
# echo test > /dev/tty
# echo test > /dev/tty0
# echo test > /dev/tty1
#
|
/dev/tty, /dev/tty0 and /dev/tty1 are poiting to /dev/console.. This "test" is showing up there (3 times).. 
So I guess the gnupg is trying to use /dev/tty to get the passphrase-input - and this is stupidly not /dev/pts/0
Why the hell - I do not know... 
edit: typo |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Sat May 03, 2014 2:02 pm Post subject: |
|
|
| nephron wrote: | | AFAIK - genkernel is using gnupg-1.4.X by default to simplify things - e.g. gnupg-agent and pinentry stuff ... |
nephron ... yes, it has VERSION_GPG='1.4.11', but 1.4.x doesn't use pinentry, nor does it use the GPG_TTY variable (this is used in the 2.x series ... which requires pinentry).
| nephron wrote: | | So I guess the gnupg is trying to use /dev/tty to get the passphrase-input - and this is stupidly not /dev/pts/0 |
looking at the patch it doesn't seem as though /dev/pts is being setup prior to dropbear, better-initramfs has the following:
functions.sh
| Code: | setup_sshd() {
# Prepare /dev/pts.
einfo "Mounting /dev/pts ..."
if ! [ -d /dev/pts ]; then run mkdir /dev/pts; fi
run mount -t devpts none /dev/pts
# Prepare dirs.
dodir /etc/dropbear /var/log /var/run /root/.ssh
[...] |
... I would check that /dev/pts infact exists.
best ... khay |
|
| Back to top |
|
|
nephron
n00b
Joined: 18 Oct 2007
Posts: 66
|
| Posted: Sat May 03, 2014 2:13 pm Post subject: |
|
|
sure it exists:
| Code: |
# ls -la /dev/pts
drwxr-xr-x 2 root root 0 May 3 14:44 .
drwxr-xr-x 8 root root 3320 May 3 15:04 ..
crw--w--w- 1 root root 136, 0 May 3 16:03 0
# tty
/dev/pts/0
# mount
proc on /proc type proc (noexec,nosuid,nodev)
udev on /dev type devtmpfs (exec,nosuid,mode=0755,size=10M)
devpts on /dev/pts type devpts (gid=5,mode=0620)
sysfs on /sys type sysfs (noexec,nosuid,nodev)
#
|
in genkernel it is in /etc/initrc.scripts:
| Code: |
# http://git.busybox.net/busybox/plain/docs/mdev.txt
if ! fs_type_in_use devpts; then
mkdir -m 0755 /dev/pts
mount -t devpts -o gid=5,mode=0620 devpts /dev/pts || bad_msg "Failed to mount /dev/pts"
fi
}
|
BTW: I have console=tty in kernel cmdline |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Sat May 03, 2014 2:21 pm Post subject: |
|
|
| nephron wrote: | | sure it exists: |
nephron ... and there I was returning to edit the above having thought "oh, it was echo'ed to".
Not sure what to suggest ... right now I'm off to run some errands, will comment later if anything comes to mind.
best ... khay |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Unsupported Software
