Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
gpg-agent unlock key at login
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
potuz
Guru
Guru


Joined: 30 Jan 2010
Posts: 378

PostPosted: Tue Dec 16, 2014 1:13 am    Post subject: gpg-agent unlock key at login Reply with quote

Hello, I use gpg-agent as a keychain manager. I would like to unlock the keychain when I type my password at the login console. How would I go about it?

Incidentally, in my current set up I launch gpg-agent from ~/.xinitrc and pinentry-gtk prompts for my password twice. Once when it needs a key to decrypt and another time when it needs the key to sign. Is there a way to unlock all keys at once?
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Tue Dec 16, 2014 1:48 am    Post subject: Reply with quote

potuz ...

by "login console" I assume you mean the console (so, not DM). You could call gpg-agent from your shell login, but its probably simpler to use net-misc/keychain. You would need to edit your shell config (probably .bash_profile), call keychain and source the ~/.keychain/${HOSTNAME}-sh.

best ... khay
Back to top
View user's profile Send private message
potuz
Guru
Guru


Joined: 30 Jan 2010
Posts: 378

PostPosted: Tue Dec 16, 2014 2:01 am    Post subject: Reply with quote

khayyam wrote:
potuz ...

by "login console" I assume you mean the console (so, not DM).

Indeed, no DM, I now automatically login a user and start X from .bashrc. What I'm trying to do is to stop autologin and hopefully use the password that I type at the login prompt (the one that the login program launched by agetty will produce) to not only start my session but also unlock the keychain.

khayyam wrote:

You could call gpg-agent from your shell login, but its probably simpler to use net-misc/keychain. You would need to edit your shell config (probably .bash_profile), call keychain and source the ~/.keychain/${HOSTNAME}-sh.

best ... khay

I haven't seen net-misc/keychain but it simply looks like a wrapper to gpg-agent. I don't understand how changing anything in .bash_profile will allow me to unlock my keychain (or tell gpg-agent to cache the keys in memory) from the login prompt. I thought this should be some form of a PAM module of sorts.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Tue Dec 16, 2014 12:00 pm    Post subject: Reply with quote

potuz wrote:
khayyam wrote:
You could call gpg-agent from your shell login, but its probably simpler to use net-misc/keychain. You would need to edit your shell config (probably .bash_profile), call keychain and source the ~/.keychain/${HOSTNAME}-sh.

I haven't seen net-misc/keychain but it simply looks like a wrapper to gpg-agent. I don't understand how changing anything in .bash_profile will allow me to unlock my keychain (or tell gpg-agent to cache the keys in memory) from the login prompt. I thought this should be some form of a PAM module of sorts.

potuz ... that wasn't altogether clear. Indeed for a single login and *-agent authentication some pam module is required. I do this for ssh-agent with sys-auth/pam_ssh but I'm not aware of something similar for gpg-agent. In the case of pam_ssh the key is used as the login authenticator, once authenticated ssh-agent is started and SSH_AUTH_SOCK is passed as an environment variable to the shell, subsequently the key can be accessed. In the case of gnupg this probably isn't possible as it uses pinentry for input, so 'login' (and therefore pam) is out of the loop.

best ... khay
Back to top
View user's profile Send private message
potuz
Guru
Guru


Joined: 30 Jan 2010
Posts: 378

PostPosted: Tue Dec 16, 2014 1:03 pm    Post subject: Reply with quote

Thanks, it seems that a pam module does exist, but I need a wrapper over gpg-agent anyway. I think https://github.com/vodik/envoy does what I want. Specially the issue discussed in https://github.com/vodik/envoy/issues/6 I'll try this at some point, but for now pinentry works for me, just a pity having to type twice my password of 16 characters and symbols.
Back to top
View user's profile Send private message
AngelKnight
Tux's lil' helper
Tux's lil' helper


Joined: 14 Jan 2003
Posts: 126

PostPosted: Tue Jan 06, 2015 9:44 am    Post subject: Reply with quote

(thread necromancy, oops)

If you're not logging in via a DM, what's wrong with Keychain? If I recall correctly there's a perfectly working .ebuild for this stable in the tree. Bonus is that it is designed to manage both ssh and GnuPG keychains and knows how to communicate to both ssh-agent and gpg-agent.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Tue Jan 06, 2015 7:58 pm    Post subject: Reply with quote

AngelKnight wrote:
If you're not logging in via a DM, what's wrong with Keychain? If I recall correctly there's a perfectly working .ebuild for this stable in the tree. Bonus is that it is designed to manage both ssh and GnuPG keychains and knows how to communicate to both ssh-agent and gpg-agent.

AngelKnight ... because the OP wants a single login/authentication ... and keychain is subsequent to 'login'. I do this for ssh-agent using sys-auth/pam_ssh, my ssh-key is used as authentication, and once authenticated ssh-agent is setup for my login.

best ... khay
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum