1 |
On 07/07/2014 02:40, Chris Stankevitz wrote: |
2 |
> On Sun, Jul 6, 2014 at 1:32 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
3 |
>> Why not do the obvious thing instead? |
4 |
>> |
5 |
>> Run keychain and have it unlock your keys *once* when the workstation |
6 |
>> boots up. ssh then always uses that key as it is unlocked. |
7 |
> |
8 |
> Alan, |
9 |
> |
10 |
> Thank you. FYI, I do not have a problem typing my password 100 times |
11 |
> per day. The only problem I have with "pinentry" is that it doesn't |
12 |
> let me paste. Does keychain allow me to paste? If so, I'll consider |
13 |
> it. However, now that I have killed pinentry from my system I am |
14 |
> happily pasting my passphrase into the ssh console. |
15 |
|
16 |
keychain is a regular terminal app, so paste will always work. |
17 |
|
18 |
On a side note, I always recommend people use a key agent unless there |
19 |
is absolutely no need for one: |
20 |
|
21 |
- typing the same passphrase repeatedly becomes tedious |
22 |
- the largest attack surface for passwords is not cryptographic |
23 |
weaknesses, it's over-the-shoulder attacks (aka shoulder surfing or |
24 |
monitor whoring). It's when people watch what you type over your |
25 |
shoulder, and after entering it for the fifth time most folks stop |
26 |
making sure everyone else in the room is looking away |
27 |
|
28 |
> On another note, from my OP, I am still curious how the ssh software |
29 |
> knows to use /usr/bin/pinentry to fetch my passphrase. In a follow-up |
30 |
> post, I discovered that this mechanism only works if an environment |
31 |
> variable called GPG_AGENT_INFO is set. I doubt the ssh source code |
32 |
> contains the string "/usr/bin/pinentry" or "GPG_AGENT_INFO". |
33 |
|
34 |
I'm not sure how that stuff works (I suspect the presence of magic) :-) |
35 |
|
36 |
I really should read up more about it, considering what kind of software |
37 |
it is. |
38 |
|
39 |
|
40 |
-- |
41 |
Alan McKinnon |
42 |
alan.mckinnon@×××××.com |