GnuPG and kwallet integration

Version: 1.0 (using KDE 3.2.1, Gentoo)
Compiler: gcc version 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)
OS: Linux (i686) release 2.6.5-gentoo-r1

would it be possible that kwallet act as an SSH agent ?
it could store my SSH key, and when I ssh somewhere, it would publish do the job of ssh-agent or pageant (putty)

just an idea.

It might be fine (if a bit evil, but easier to implement) for KWallet to store a passphrase, and launch a separate SSH agent. Otherwise you'll have to do something clever with the SSH agent code, KWallet and the file format for public keys.

good idea, kwallet can just make sure there is a ssh-agent running and trigger the ssh-add call for every keys stored in the configfile.

I'll attached a script i wrote quickly, just for the sake

Created attachment 6484
script looks if there is an AGENT running and use it or start one.

*** Bug 87312 has been marked as a duplicate of this bug. ***

*** Bug 82485 has been marked as a duplicate of this bug. ***

to replace my script, there is a package made by gentoo that is also, at least, available for SuSe, so I suppose that may become something standard.

http://www.gentoo.org/proj/en/keychain/index.xml

on top of that, there is another package called "gtk2-ssh-askpasswd" or something, which loads before KDE to ask the extra passwd.

I suppose, instead of asking for the passwd, it would be stored in the wallet, and only the the part to load the ssh key into the agent is needed.

well, if the passwd for the key is not found in the wallet, I suppose kwallet has to ask it.

*** This bug has been confirmed by popular vote. ***

See also bug 97419 which was requesting something similar (from a user's point of view). See the comment with a suggestion for a SSH_ASKPASS-compatible app using kwallet. (This seems to be slightly different to what is suggested in this bug, but maybe easier to implement).
As a sysadmin with about 30 machines under my control, being able to have all those passwords in kwallet would be very nice, however it is done!

I just thought of something there....
instead of kwallet being an SSH agent, or having a password-less kwallet like some people like to have. kwallet could have to authentification, one is password, second is using the ssh key already loaded by the ssh agent.

I think most people who wanted a password-less kwallet was stricly because they had to time their password twice or three times (login, ssh, wallet)

the big advantage of having kwallet storing the ssh key and passphrase would be to allow user to have multiple ssh key. but I don't know how common is that ?

so maybe an easier work around would to allow kwallet to be automatically open without a password using an ssh-agent. but requiring a password in other cases.

so a login process could be something like this. you register your ssh-key in the kcontrol first. then when you login, kdm is using your password to try to load the ssh key on login so you don't have to type your password twice and kwallet is opening automaticaly when requested using the ssh-key authentification.

what do you guys think ?

is that easier/better ?

KWallet cannot be passwordless because the password encrypts the data. If you remove the password, the contents are unprotected.

So this will only work if whatever backend supplies KWallet a decryption key. Can ssh-agent do that?

Oh I thought kwallet had already a password less mode. because I remember tons of people asking for it on a separate ticket. anyway, it makes sens that it needs a password if it use it as an encryption. makes things more complicated to automatically open the wallet on agent discovery.

could kwallet use the ssh-private key when the agent is loaded ?

*** Bug 121086 has been marked as a duplicate of this bug. ***

maybe I repeat myself, but basically. if gtk2-ssh-askpass-0.3 program would be rewritten with kdelibs and kwallet support. it would just fetch the password from the wallet and open the regular ssh-agent. if not found in the kwallet, it would that act just like gtk2-ssh-askpass and ask for the password.

NB: gtk2-ssh-askpass is a tiny GUI utility that ask your ssh-key password on logon. it works well with kdm and kde, but I would rather have it integrated with kwallet.

thanks

Maybe when kwallet is coming up, it could start keychain, a script for controlling ssh-agent and gpg-agent, with all ssh and gpg keys it has.

keychain is a simple to use program.

I have created a small program that fetches the ssh passphrase from KWallet and uses it to add the key to ssh-agent. You can find it at
http://www.pontohonk.de/kde/ssh.html

excellent, now kwallet just need to auto-open using the session password (kdm).
thus only one password will be necessary.

just a quick comment to confirm the solution in comment #15 is working like a charm. i don't need this gtk-ask-pass anymore. and thus I only have the session password and the wallet password to type.

May be the small program in comment #15 could be extended. Perhaps ist could be used for gpg/pgp keys too. Or could be used for bluetooth authentication.

another small comment

here is the content of my autostart file

somekool@krypton ~ $ cat .kde/Autostart/ssh-add.sh
#!/bin/sh
export SSH_ASKPASS=$HOME/bin/askpass
keychain id_rsa
source ~/.keychain/`uname -n`-sh
#/usr/bin/ssh-add

somekool@krypton ~ $

simply calling ssh-add would not do the trick. but it works fine with keychain.

Your remark in comment #19

Why is keychain needed? What is the error when you use ssh-add alone?

it create or keeps the ssh-agent, call ssh-add automatically as well and set shell variable ( I'm not exactly sure, but I think its what it does, after all, the idea of using highlevel tools is to not care about implementation ;) )

SSH_AUTH_SOCK=/tmp/ssh-nAoUks9274/agent.9274; export SSH_AUTH_SOCK;
SSH_AGENT_PID=9275; export SSH_AGENT_PID;

I did not get an error with ssh-add, it just did not work, i dont know why.
ssh-add path was correct. i guess, ssh-add did not know what agent to add it too. i dont know.

There are kwallet-compatible replacements for ssh-agent and ssh-askpass at http://hanz.nl/p/program. Might be a starting point.

Just store the unencrypted SSH private key directly in the wallet (let the wallet handle encrypting it on disk) and supply it to ssh on demand using the same Unix socket protocol that ssh-agent uses. There's no need for a separate key file, passphrase, or ssh-agent process. The ssh-agent socket protocol is dirt simple; KWallet should just implement it directly. Then the only moderately difficult part is importing SSH keys into the wallet without ever writing them to disk unencrypted.

Created attachment 27714
kwallet-askpass.sh

Until such time as KWallet implements the ssh-agent protocol, I have coded up an askpass-style script to let ssh-add read passphrases from the KDE4 wallet via D-bus.

To use it, you need to add a folder to your wallet called 'ssh-agent' and add passwords to it, each given as its name the full absolute path to an SSH private key file, such as '/home/wendy/.ssh/id_rsa'. Then add an auto-start script that calls ssh-add thusly:
SSH_ASKPASS=/path/to/kwallet-askpass.sh ssh-add < /dev/null &

Of course, the agent has to be running already. For that, I recommend uncommenting the lines in the agent-startup.sh and agent-shutdown.sh scripts that come with KDE.

This package
http://www.kde-apps.org/content/show.php/kssh-add?content=76675

Does the whole thing very seamlessly. Sorry Matt, I couldn't make your scripts work, but this more or less does the same.

Personally, I don't always want to run ssh-add at startup, so I use

alias ssh='if [[ ! `ssh-add -l| grep .ssh | wc -l` > 0 ]]; then ssh-add < /dev/null; fi; ssh'

in my .bashrc so that I run ssh-add if it doesn't already have the passphrase.

The problem I had with kwallet-askpasss.sh was:
>sh ./kwallet-askpass.sh
./kwallet-askpass.sh: 13: Syntax error: "(" unexpected

(In reply to comment #25)
> This package
> http://www.kde-apps.org/content/show.php/kssh-add?content=76675
>
> Does the whole thing very seamlessly.

That appears to be for KDE 3.5, whose KWallet uses DCOP rather than D-Bus for interprocess communication. My script is for the KWallet in KDE 4.

(In reply to comment #26)
> The problem I had with kwallet-askpasss.sh was:
> >sh ./kwallet-askpass.sh
> ./kwallet-askpass.sh: 13: Syntax error: "(" unexpected

Not sure if functions are a POSIX shell feature or a bash extension. It might work if you remove the () after get_string, since the parens are optional (and mistakenly I put them on one function declaration but not on the other). If that doesn't work, try changing the shebang line to #!/bin/bash. sh on my system is actually bash, but on some systems it's something else.

functions are a POSIX shell feature, however the syntax 'function foo() { ... }' is not. I think both 'function foo { ... }' and 'foo() { ... }' are supported, but using both the keyword and ()'s is a syntax error that bash happens to tolerate.

checkbashisms [1] is your friend, when you have to make a script POSIX compatible.

[1] http://svn.debian.org/viewsvn/devscripts/trunk/scripts/checkbashisms.pl?view=markup

Created attachment 28336
kwallet-askpass.sh (sans bashisms)

Thank you, Matthew Woehlke and Adrian Friedli. I have updated my script to remove the bashisms.

Created attachment 28337
kwallet-askpass.sh (fixed typo)

Argh, sorry for the comment spam. I had a typo. :(

wtf, re-add everyone to the cc list ...

Created attachment 32405
modified script to get password from wallet

This code still doesn't work but now spits out the correct password, but ssh-add is not playing nice and reading it in.

I fiddled around with retrieving folders from kwallet and such, but that didn't seem to be as easy as attempt to just read the .ssh directory.

Someone else may know a good way to filter ssh keys or what-not (I am not a shell script pro), but this seems to get the idea across.

for i in `ls --hide=*pub ~/.ssh`
do
  i=`readlink -f ~/.ssh/${i}`
  echo $i
  password=$(${dbus_send}readPassword int32:${handle} string:"${APPID}" string:"${i}" string:"${APPID}" | get_string)
  if [ "${password}" != "" ]
  then
    `echo $password > ssh-add $i` # not sure this works, but you get the idea
  fi
done

The script works for me, but only after I have logged in. If I use it in .kde/Autostart I get the following messages in .xsession-errors:

Error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken

I tried to start kwalletd in the script but without success.

The app in comment #15 works as it should, so I guess the script is missing some initialization process. It would be nice to use the script though because it's easier to modify.

Using OpenSUSE 11.2 and KDE 4.4.0.

If you want a quick working solution, install Ksshaskpass and put a script in the ~/.kde/Autostart directory that has :

#!/bin/sh
SSH_ASKPASS=/usr/bin/ksshaskpass /usr/bin/ssh-add < /dev/null

chmod u+x that script and enjoy. It works perfectly for me and I don't need to start kwallet myself.

(In reply to comment #27)
> (In reply to comment #25)
> > This package
> > http://www.kde-apps.org/content/show.php/kssh-add?content=76675
> >
> > Does the whole thing very seamlessly.
>
> That appears to be for KDE 3.5, whose KWallet uses DCOP rather than D-Bus for
> interprocess communication. My script is for the KWallet in KDE 4.

Ksshaskpass (http://www.kde-apps.org/content/show.php/show.php?content=50971) now runs on KDE 4.

*** Bug 282417 has been marked as a duplicate of this bug. ***

*** Bug 278184 has been marked as a duplicate of this bug. ***

That would be awesome!

bump ! ;) please

I currently get prompts all over when using SmartGit. I just use SSH keys with a passphrase, but every time (even on fetches), KWallet prompts and afterwards the SSH key password is prompted. It's getting pretty tiresome.

At least on kde5, running ssh from Konsole does not trigger ksshaskpass because ssh requires that it's NOT running from a terminal to trigger $SSH_ASKPASS. I don't know how it used to work in the past but I remember it indeed worked (I'd get a GUI prompt for my SSH passphrase if I invoked ssh from a terminal window).

*** Bug 291992 has been marked as a duplicate of this bug. ***