diff options
author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2008-08-05 12:13:49 -0400 |
---|---|---|
committer | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2008-08-05 12:13:49 -0400 |
commit | e238f6d15705176f076ad02d62501190d1008c92 (patch) | |
tree | c014287de71db87bcdfa3c35ab9d50fe4e981f58 | |
parent | eb9ad81061f6dbe1f5a0abfd284d04a927a9c961 (diff) |
cleanup and explanation for seckey2sshagent hack.
-rwxr-xr-x | src/seckey2sshagent | 76 |
1 files changed, 66 insertions, 10 deletions
diff --git a/src/seckey2sshagent b/src/seckey2sshagent index 1266db5..deab489 100755 --- a/src/seckey2sshagent +++ b/src/seckey2sshagent @@ -21,15 +21,63 @@ cleanup() { echo "done." 1>&2 } +explanation() { + + echo -n "The basic strategy of seckey2sshagent is to dump your +OpenPGP authentication key(s) into your agent. + +This script is a gross hack at the moment. It is done by creating a +new, temporary private keyring, letting the user remove the +passphrases from the keys, and then exporting them. The temporary +private keyring is purged from the system. + +When you use this command, you'll find yourself dropped into a GPG +'edit-key' dialog relevant *only* to the temporary private keyring. + +At that point, you should clear the password from your key, with: + + passwd + <enter your current password> + +followed by the empty string for the new password. GPG will ask you +if you're really sure. Answer yes, because this is only relevant to +the temporary keyring. Then, do: + + save + exit + +At this point, your key will be added to your running ssh-agent with +the alias 'monkeysphere-key' and seckey2sshagent should terminate. +You can check on it with: + + ssh-add -l + +" + +} + +# if no hex string is supplied, just print an explanation. +# this covers seckey2sshagent --help, --usage, -h, etc... +if [ "$(echo "$1" | tr -d '0-9a-fA-F')" ]; then + explanation + exit +fi + trap cleanup EXIT -#GPGID="$1" -GPGID=$(echo "$1" | cut -c 25-) +GPGIDS="$1" -FOO=$(mktemp -d) +if [ -z "$GPGIDS" ]; then + # default to using all fingerprints of authentication-enabled keys + GPGIDS=$(gpg --with-colons --fingerprint --fingerprint --list-secret-keys "$GPGID" | egrep -A1 '^(ssb|sec):.*:[^:]*a[^:]*:$' | grep ^fpr: | cut -d: -f10) +fi -gpg --export-secret-key $GPGID | GNUPGHOME="$FOO" gpg --import +for GPGID in $GPGIDS; do + TMPPRIVATE=$(mktemp -d) + + gpg --export-secret-key $GPGID | GNUPGHOME="$TMPPRIVATE" gpg --import + # idea to script the password stuff. not working. # read -s -p "enter gpg password: " PASSWD; echo # cmd=$(cat <<EOF @@ -42,11 +90,19 @@ gpg --export-secret-key $GPGID | GNUPGHOME="$FOO" gpg --import # save # EOF # ) -# echo -e "$cmd" | GNUPGHOME="$FOO" gpg --command-fd 0 --edit-key $GPGID - -GNUPGHOME="$FOO" gpg --edit-key $GPGID +# echo -e "$cmd" | GNUPGHOME="$TMPPRIVATE" gpg --command-fd 0 --edit-key $GPGID + + GNUPGHOME="$TMPPRIVATE" gpg --edit-key $GPGID + +# creating this alias so the key is named "monkeysphere-key" in the +# comment stored by the agent, while never being written to disk in +# SSH form: + ln -s /dev/stdin "$TMPPRIVATE"/monkeysphere-key + + GNUPGHOME="$TMPPRIVATE" gpg --export-secret-keys $GPGID | \ + openpgp2ssh $GPGID | (cd "$TMPPRIVATE" && ssh-add -c monkeysphere-key) + + cleanup +done -ln -s /dev/stdin "$FOO"/openpgp -GNUPGHOME="$FOO" gpg --export-secret-key $GPGID | \ - openpgp2ssh $GPGID | ssh-add -c "$FOO"/openpgp |