Thursday Aug 30, 2007

More ssh-add & gnome-keyring.

I've updated my gnome-keyring SSH_ASKPASS program to improve the user experience. However to get this 100% I need some changes to ssh-add so that there is a stable interface between it and the SSH_ASKPASS program.

The new version will read the environment variable GNOME_KEY_ASKPASS and if that is an executable and gnome-keyring needs to prompt for a pass phrase it will use that program to do the prompt, reading the pass phrase from standard out of that program, in the same way that SSH_ASKPASS does for ssh-add. It will then store that pass phrase in the keyring and output that to standard output for ssh-add.

So to use this I have this in my .dtprofile file:

: FSS 184 $; tail  -11 ~/.dtprofile
if whence gnome-keyring > /dev/null
        export SSH_ASKPASS=gnome-keyring
        if  whence xsshaskpass > /dev/null
                export GNOME_KEY_ASKPASS=xsshaskpass
elif whence xsshaskpass > /dev/null
        export SSH_ASKPASS=xsshaskpass
: FSS 185 $; 

Then of course you need the xsshaskpass program. This just pops up a window and prompts the user to enter the key. There are lots of these around and I've always wondered why solaris does not have one (if it does let me know). Since they are trivially simple to write I guess it is just another way of making Solaris a little bit more elite. Here is my solution to this. Save it as xsshaskpass somewhere in your path and make it executable:

#!/usr/bin/ksh -p
if [[ -x /usr/bin/wish ]]  ; then
# \\
        exec /usr/bin/wish -f "$0" ${1+"$@"} 
elif [[ -x /usr/sfw/bin/wish8.3 ]]  ; then
# \\
        exec /usr/sfw/bin/wish8.3 -f "$0" ${1+"$@"} ; else
# \\
        exec wish -f "$0" ${1+"$@"} ; fi
. config -borderwidth 10
label .l -text "[lindex $argv 0]"
entry .e -width 30 -show {\*}
frame .buts
button .buts.doit -text o.k. -command { puts [.e get ] ; exit 0}
button .buts.quit -text quit -command { exit 0}
pack .buts.doit .buts.quit -side left
pack .l .e .buts
tkwait window .
exit 0

The nice thing about this is that this is all you have to do to set this up and could be set up by the administrator. When ssh-add first runs when you login it will prompt you twice (see below) for your pass phrase and that then gets stored in the gnome-keyring. Assuming you entered the correct pass phrase then that is it. You never have to enter your ssh pass phrase again.

However since there is no way for the gnome-keyring program to know if the pass phrase that is read from the user is good it can end up storing a bad pass phrase in the keyring. To minimize this risk it prompts the user twice for the pass phrase until the user enters the same phrase twice. Once a bad pass phrase is in the keyring you have to use gnome-keyring-manager to delete it. Unfortunately all the gnome-keyring program has to go on when a bad passphrase is found is that is called with the arguments “Bad passphrase, try again: " which does not tell the program which key is bad. There are various hacks that could be performed to work around this but I'm coming to the conclusion the simplest would be to modify ssh-add to have it put the name of the file for which it is prompting into the environment of the SSH_ASKPASS program and hence the gnome-keyring program so that it can be read from there. With that in place it would not matter if a bad pass phrase was stored in the keyring since when the user eventually gets the pass phrase right it would still be stored.

Friday Aug 24, 2007

ssh-add meets gnome-keyring.

Now that we have the gnome keyring for storing passwords in and the excellent pidgin now uses it so I have to type my passphrase in so that pidgin can login it was irritating me that I also have to type in a passphrase for ssh.

So I wrote a small program gnome-keyring.c and a Makefile which wil allow you to store your ssh passphrase in the gnome keyring and then have ssh-add use the same program to retrieve the key. To use it save the two files in a new directory and in that directory type “make”. (This kind of assumes you have a compiler). Then install the resulting binary in your path.

Now to save away your ssh passphrase in the gnome keyring type

: principia IA 35 $; gnome-keyring -s
enter password: 
Reenter password: 
: principia IA 36 $; gnome-keyring   
easy to guess
: principia IA 37 $; 

Now if you set the environment variable SSH_ASKPASS to be gnome-keyring in your .dtprofile eg:


and then have your gnome session call “ssh-add” when the session starts you will be prompted for the gnome-keyring passphrase and you never have to type the ssh one.

I've only tested this on nevada build 71.

Irritatingly after I wrote this I did a google search for “ssh gnome-keyring” and discovered that I had reinvented the wheel, but I enjoyed it.


I've updated the program to be able to cope with having different passphrases for differnent ssh keys. This is a bit of a hack as it relies on the arguments that ssh-add passes to the program to work out which key to use but it works.

: principia IA 169 $; gnome-keyring -s /home/cg13442/.ssh/id_rsa
enter password: 
Reenter password: 
: principia IA 170 $; gnome-keyring -g /home/cg13442/.ssh/id_rsa
not so easy to guess
: principia IA 171 $; gnome-keyring -s /home/cg13442/.ssh/id_dsa
enter password: 
Reenter password: 
: principia IA 172 $; gnome-keyring -g /home/cg13442/.ssh/id_dsa
easy to guess
: principia IA 173 $; 

This is the old blog of Chris Gerhard. It has mostly moved to


« July 2016