diff options
Diffstat (limited to 'website/bugs/handle-passphrase-locked-secret-keys.mdwn')
-rw-r--r-- | website/bugs/handle-passphrase-locked-secret-keys.mdwn | 117 |
1 files changed, 0 insertions, 117 deletions
diff --git a/website/bugs/handle-passphrase-locked-secret-keys.mdwn b/website/bugs/handle-passphrase-locked-secret-keys.mdwn deleted file mode 100644 index 5143db6..0000000 --- a/website/bugs/handle-passphrase-locked-secret-keys.mdwn +++ /dev/null @@ -1,117 +0,0 @@ -[[!meta title="MonkeySphere can't deal with passphrase-locked primary keys"]] - -At the moment, the only tool we have to export passphrase-locked -secret keys from the GPG keyring is `gpg` itself (and `gpg2`, which -has roughly the same behavior). - -As a result, we have the `seckey2sshagent` hack, which is unfriendly -and awkward to use. - -Ideally, `openpgp2ssh` would be able to convert passphrase-locked -secret keys into clean subkeys. However, i've tried to do this via -GnuTLS, and that library is not ready for this. - -OpenCDK, which is the component of GnuTLS which reads OpenPGP-style -keys, cannot cope with encrypted secret key material. I have had -[some -success](http://lists.gnu.org/archive/html/gnutls-devel/2008-06/msg00092.html) -in getting GnuTLS's OpenCDK to accept the existence of encrypted -secret key packets, [i learned that OpenCDK as included in GnuTLS is -incapable of dealing with the encrypted packets -themselves](http://lists.gnu.org/archive/html/gnutls-devel/2008-07/msg00012.html). - - -Some possible resolutions: - ---------- - -If we can assume that the passphrase-encrypted key we want to use is -actually a subkey, and if we could fix GnuTLS to ignore the use of the -"gnu-dummy S2K" produced by `gpg --export-secret-subkeys` for the -primary key, then something like the following script should actually -work for reasonable values of `$KEYID`: - - TMPDIR=$(mktemp -d) - umask 077 - mkfifo "$TMPDIR/passphrase" - kname="MonkeySphere Key $KEYID" - mkfifo "$TMPDIR/$kname" - ssh-askpass "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" & - gpg --passphrase-fd 3 3<"$TMPDIR/passphrase" \ - --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \ - --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname" & - (cd "$TMPDIR" && ssh-add -c "$kname") - rm -rf "$TMPDIR" - -Good news! [I've crafted a patch for GnuTLS to enable it to read -exported subkeys using this GNU -extension](http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html), -so if we can get it incorporated into upstream (and/or into debian), -we have a possible solution, as long as the authentication key is a -subkey, and not a primary key. - -As of version 0.11-1, `monkeysphere subkey-to-ssh-agent` implements -this particular strategy (and fails cleanly if the version of GnuTLS -present doesn't support the GNU dummy S2K extension). - ---------- - -Ben Laurie and Rachel Willmer's -[OpenPGPSDK](http://openpgp.nominet.org.uk) is a candidate: this is a -C-based library that intends to implement RFC 4880 functionality. - -We could potentially re-write `openpgp2ssh` using this library, and it -*should* be able to handle everything we need from the OpenPGP side -(though it might need to be re-linked to OpenSSL to handle PEM-encoded -exports. - -Concerns: - -* OpenPGPSDK is not in debian yet, and doesn't currently (2008-08-13) - build with gcc 4.2 or 4.3. - -* OpenPGPSDK uses the apache license and appears to link to OpenSSL, - which has a GPL-incompatible license. I think this would mean that - `openpgp2ssh` could not remain GPL (though the rest of the - monkeysphere could). - ---------- - -We could try to use perl. The last time i checked, the pure-perl -OpenPGP implementations all depended on Math::PARI, which [is not in -debian](http://bugs.debian.org/440527). The most likely candidate is -[Crypt::OpenPGP](http://search.cpan.org/~btrott/Crypt-OpenPGP), -despite [some -bugginess](http://cpanratings.perl.org/dist/Crypt-OpenPGP). - -Concerns: - -* the aforementioned buggy reviews - -* there's a lot of dependency chasing to get anything like this - available in debian. - ---------- - -Other alternatives? - --------- - -Can this bug be closed? dkg [reported in a comment for a related -bug](/bugs/install-seckey2sshagent-in-usr-bin/): - - Version 0.11-1 now has the monkeysphere subkey-to-ssh-agent - subcommand, which works cleanly in the presence of a - functionally-patched GnuTLS. - --------- - -Even with the patched GnuTLS, monkeysphere currently can't currently -deal with passphrase-locked primary keys. I've changed the title of -this bug, but i'd like to keep it open until we are able to deal with -that. The other comments here seem still quite relevant to that -need. - -I've changed the title of this bug to reflect the narrowed scope. - - --dkg |