summaryrefslogtreecommitdiff
path: root/src/seckey2sshagent
blob: 8f3d54d97b3770e6d6c624def3b63347ca94e7e2 (plain)
  1. #!/bin/sh
  2. # seckey2sshagent: this is a hack of a script to cope with the fact
  3. # that openpgp2ssh currently cannot support encrypted secret keys.
  4. # the basic operating principal is:
  5. # export the secret key in encrypted format to a new keyring
  6. # remove the passphrase in that keyring
  7. # use that keyring with openpgp2ssh
  8. # Authors: Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
  9. # Jameson Rollins <jrollins@fifthhorseman.net>
  10. cleanup() {
  11. echo -n "removing temp gpg home... " 1>&2
  12. rm -rf "$TMPPRIVATE"
  13. echo "done." 1>&2
  14. }
  15. explanation() {
  16. echo -n "The basic strategy of seckey2sshagent is to dump your
  17. OpenPGP authentication key(s) into your agent.
  18. This script is a gross hack at the moment. It is done by creating a
  19. new, temporary private keyring, letting the user remove the
  20. passphrases from the keys, and then exporting them. The temporary
  21. private keyring is purged from the system.
  22. When you use this command, you'll find yourself dropped into a GPG
  23. 'edit-key' dialog relevant *only* to the temporary private keyring.
  24. At that point, you should clear the password from your key, with:
  25. passwd
  26. <enter your current password>
  27. followed by the empty string for the new password. GPG will ask you
  28. if you're really sure. Answer yes, because this is only relevant to
  29. the temporary keyring. Then, do:
  30. save
  31. At this point, your key will be added to your running ssh-agent with
  32. the alias 'monkeysphere-key' and seckey2sshagent should terminate.
  33. You can check on it with:
  34. ssh-add -l
  35. "
  36. }
  37. # if no hex string is supplied, just print an explanation.
  38. # this covers seckey2sshagent --help, --usage, -h, etc...
  39. if [ "$(echo "$1" | tr -d '0-9a-fA-F')" ]; then
  40. explanation
  41. exit
  42. fi
  43. trap cleanup EXIT
  44. GPGIDS="$1"
  45. if [ -z "$GPGIDS" ]; then
  46. # default to using all fingerprints of authentication-enabled keys
  47. GPGIDS=$(gpg --with-colons --fingerprint --fingerprint --list-secret-keys "$GPGID" | egrep -A1 '^(ssb|sec):.*:[^:]*a[^:]*:$' | grep ^fpr: | cut -d: -f10)
  48. fi
  49. for GPGID in $GPGIDS; do
  50. TMPPRIVATE=$(mktemp -d)
  51. gpg --export-secret-key $GPGID | GNUPGHOME="$TMPPRIVATE" gpg --import
  52. # idea to script the password stuff. not working.
  53. # read -s -p "enter gpg password: " PASSWD; echo
  54. # cmd=$(cat <<EOF
  55. # passwd
  56. # $PASSWD
  57. # \n
  58. # \n
  59. # \n
  60. # yes
  61. # save
  62. # EOF
  63. # )
  64. # echo -e "$cmd" | GNUPGHOME="$TMPPRIVATE" gpg --command-fd 0 --edit-key $GPGID
  65. GNUPGHOME="$TMPPRIVATE" gpg --edit-key $GPGID
  66. # creating this alias so the key is named "monkeysphere-key" in the
  67. # comment stored by the agent, while never being written to disk in
  68. # SSH form:
  69. ln -s /dev/stdin "$TMPPRIVATE"/monkeysphere-key
  70. GNUPGHOME="$TMPPRIVATE" gpg --export-secret-keys $GPGID | \
  71. openpgp2ssh $GPGID | (cd "$TMPPRIVATE" && ssh-add -c monkeysphere-key)
  72. cleanup
  73. done