Currently, the only way to support non-X environments is by storing credentials in the identities.txt that is locked down to the user in question. However, for several of the organisations currently evaluating Moonshot, this is not acceptable. They expect the same level of security (i.e. secure credential storage in encrypted keyrings) from a non-X environment as they have in an X environment.
The only way that I see us being able to resolve this is by treating Moonshot UI in a text environment as a TSR (terminate & stay resident) that is terminated on logout (or disconnection), providing an ncurses-based/ncurses-style 'UI' during credential prompting to unlock the keyring and then provide a credential.
But... the requirement exists, and we need to resolve this question.
From: Matthew Vernon <mv3 at SANGER.AC.UK>
Subject: Moonshot id selection in text-only consoles
Date: 27 April 2017 at 11:31:14 BST
To: MOONSHOT-DEV
[trimmed]
A couple of thoughts came up (largely not mine), and it was suggested that someone forward them to this list. Essentially, there are already a couple of solutions to this sort of problem already, most of the agent form, and we wondered if any of them could either be extended (e.g. have ssh-add also grok moonshot ids) or a similar model copied. The 2[0] approaches already used to solve similar problems are:
i) an init command a la kinit
ii) an agent a la ssh-add/ssh-agent or the gpg agent
If nothing else, perhaps people with gpg available could have something that lets them use the gpg-agent to decrypt a moonshot identity file into a tmpfs and let moonshot see that, perhaps?
It seems likely that some of our plausible use cases will be in environments where an X/Windows/OSX GUI window will be hard to come by.
Regards,
Matthew
[0] they're not that different in implementation, I think