[Bug 349738] New: evaluate use of gpg-agent with ssh support instead of ssh-agent
https://bugzilla.novell.com/show_bug.cgi?id=349738 Summary: evaluate use of gpg-agent with ssh support instead of ssh-agent Product: openSUSE 11.0 Version: unspecified Platform: All OS/Version: openSUSE 11.0 Status: NEW Severity: Enhancement Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: wolfgang@rosenauer.org QAContact: qa@suse.de Found By: --- Since gpg2 (and therefore gpg-agent) is quite usable now I think it's time to think about replacing ssh-agent with gpg-agent. Currently we start gpg-agent and ssh-agent in X sessions automatically but gpg-agent should be able to replace ssh-agent in a transparent way. The only thing I noticed while testing that is that gpg-agent wants to have another passphrase for every SSH identity to encrypt it in it's session (and temporary file store). So when ssh-add is executed it asks for the key passphrase and for another temporary storage password in the gpg-agent. But if that replacement would be possible we would get rid of one agent. What do you think? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349738 User thomas@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349738#c1 Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |anicka@novell.com, pcerny@novell.com --- Comment #1 from Thomas Biege <thomas@novell.com> 2007-12-27 08:41:14 MST --- Hello Wolfgang. I added our maintainers. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349738 User anicka@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349738#c2 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |werner@novell.com --- Comment #2 from Anna Bernathova <anicka@novell.com> 2008-01-04 09:13:15 MST --- As for me, it does not really matter whether we are going to continue using ssh-agent or not, I will have to maintain it anyway. And I really cannot evaluate advantages of using gpg-agent over ssh-agent. I am adding Werner to CC because he might have a valuable opinion on this issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349738 User werner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349738#c3 --- Comment #3 from Dr. Werner Fink <werner@novell.com> 2008-01-04 09:32:51 MST --- IMHO the gpg-agent should be able to ask the passphrase with the help of /usr/lib64/ssh/x11-ssh-askpass which is that the environment variable SSH_ASKPASS is read with getenv(). From the manual page of gpg-agent it seems a bit different: [...] Note: in case the gpg-agent receives a signature request, the user might need to be prompted for a passphrase, which is neces- sary for decrypting the stored key. Since the ssh-agent proto- col does not contain a mechanism for telling the agent on which display/terminal it is running, gpg-agent's ssh-support will use the TTY or X display where gpg-agent has been started. To switch this display to the current one, the follwing command may be used: echo UPDATESTARTUPTTY | gpg-connect-agent [...] -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349738 User pcerny@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349738#c4 --- Comment #4 from Petr Cerny <pcerny@novell.com> 2008-01-24 11:38:04 MST --- Well, I'm not really sure how many people use agents and especially ssh-agent regularly as it has some drawbacks as well. One problem is e.g. using multiple keys (typically one per server) - servers usually have some limit how many times key authentication can be tried. Hence when the agent program doesn't supply the correct key fast enough login fails. In some cases this might lead to user entering correct password(s) (to unlock the key(s) in agent) and still being denied the remote service. That would be very disappointing experience (for both the user and administrator debugging the problem). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349738 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349738#c5 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|security-team@suse.de |pcerny@novell.com --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2008-03-06 09:54:29 MST --- reassigning to gpg2 maintainer -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349738 User pcerny@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349738#c6 --- Comment #6 from Petr Cerny <pcerny@novell.com> 2008-03-07 06:22:06 MST --- Comment #0 implies, it would be inconvenient for users - to enter two passphrases for each ssh key added (and then maybe later after the cache expires). Also note, that gpg-agent stays loaded after session is finished - see bug #351888 for discussion on this. IMHO it would bring more problems than benefits (see also comment #4). If it's up to me to decide, I'll choose INVALID or WONTFIX. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349738 User pcerny@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349738#c7 Petr Cerny <pcerny@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #7 from Petr Cerny <pcerny@novell.com> 2008-03-19 12:22:56 MST --- Closing as INVALID. If someone really, _really_ wants this, it should go into FATE as a new feature request. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com