envoy icon indicating copy to clipboard operation
envoy copied to clipboard

Published 20 hours ago verified publisher icon vodik

README: NOTICE lacking references

Open cpixl opened this issue 9 years ago • 4 comments

Actually this is a personal request, no really an issue... but as it may be useful for others, I think it's worth opening it instead of sending a private e-mail.

You said that the recent changes in gpg-agent "deprecated" envoyd, but I found nothing in the changelogs explicit enough for me to understand how envoy could be replaced solely by gpg-agent.

There is any reference or documentation that could give this direction? Until now envoy has worked really well for me, but I personally prefer less dependencies for my system... so I'm really curious on how to achieve this setup.

cpixl avatar Nov 12 '15 16:11 cpixl

Oh, yeah, no worries, lets see what I can write up.

vodik avatar Nov 15 '15 20:11 vodik

It seems like the following is a good replacement:

~/.profile:

gpg-connect-agent UPDATESTARTUPTTY /bye
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh

~/.zshrc:

export GPG_TTY=$(tty)
gpg-connect-agent UPDATESTARTUPTTY /bye >/dev/null

blueyed avatar Dec 25 '15 21:12 blueyed

@blueyed it seems it doesn't work if the key is encrypted, even with the same passphrase as the logged user. The envoy's PAM module solves this problem, but I still don't see how to do this using only gpg-agent.

EDIT: Okay, I ended up with this (~~stolen from~~ based on this script):

/usr/local/lib/gpg-pam-preset:

#!/usr/bin/env bash

# grab PAM-provided auth token
read token

# Execute as PAM_USER or logged user
su - ${PAM_USER:-$(id -un)} <<EOF

# Start agent if needed
if ! pgrep -U "\$USER" -x gpg-agent &> /dev/null; then
  gpg-agent --enable-ssh-support --allow-preset-passphrase --disable-scdaemon --daemon
fi

# Get fingerprints managed by gpg
fingerprints=(\$(gpg-connect-agent "keyinfo --list" /bye | grep KEYINFO | cut -d' ' -f3))

# Preset each fingerprint
for fingerprint in "\${fingerprints[@]}"; do
  /usr/lib/gnupg/gpg-preset-passphrase --preset "\$fingerprint" <<< "$token" 
done

EOF

/etc/pam.d/login:

auth optional pam_exec.so expose_authtok /usr/local/bin/gpg-pam-preset

Maybe it's worth to put it on the README (or point to this issue) so others can use it too.

cpixl avatar Jan 17 '16 16:01 cpixl

@dan-santana Thanks for sharing this!

I do not like auto-unlocking on login, but in case you want that this looks fine.

blueyed avatar Jan 18 '16 21:01 blueyed