Is there a cli version of x11-ssh-askpass?

cja · 2008-10-22 04:04:16

Greetings,

I've been using ArchLinux for a few years now but this is my first post.

I have implemented an encrypted-filesystem using fuse / encfs. To decrypt the fs, I run . . .
encfs --idle=10 --ondemand --extpass="/usr/lib/openssh/ssh-askpass" -o nonempty ~/encrypt/.crypt ~/encrypt/crypt
The openssh package does not containg ssh-askpass (pacman -Ql | grep ask) so I installed the x11-ssh-askpass package instead.

This arrangement works fine . . . except I'd prefer a cli version of ssh-askpass. Googling drew a blank. Ditto for searching openssh's website.
Any ideas?

Thanks,

--Charlie

phrakture · 2008-10-22 15:58:19

Um, if you want the CLI to ask for the password, couldn't you just get rid of the --extpass param and let encfs ask you?

cja · 2008-10-23 00:04:32

You must set a(n external) password program when using mount-on-demand.
But thanks for the suggestion, Phrakture.
--Charlie

Profjim · 2008-10-23 12:19:47

OK, you should definitely get feedback from other people about the security implications of what I'm about to propose. But I believe it should be unproblematic. The pinentry scripts are another supposed-to-be-secure external password program. And they use a simple scripting language. And they have a curses version. So, a distro or two ago, what I did was something like this:

$ cat /usr/local/bin/ssh-askpass

#!/usr/bin/env bash

RESULT=$(pinentry <<END | egrep '^(D|ERR)'
SETDESC %20%20Enter your SSH password:
SETPROMPT
GETPIN
END)

if [ "$RESULT" == "ERR 111 canceled" ]; then
exit 255
else
echo ${RESULT:2:${#RESULT}-2}
fi
RESULT=

However, this isn't working for me anymore on Arch. I think I may be missing some library pinentry requires, or maybe pinentry is only happy in a X-based terminal (I'm in the Linux console). I can't track down the problem atm, but this should point you in a direction that used to work and I believe should still work. You've just got to get pinentry working right for you.

Even better than a curses interface would be a simple CLI interface, like when sudo/gpg/ssh-agent ask for passwords. But I don't think pinentry provides that, and I don't know if there's any external password program that will fit your needs that does. If there isn't, that seems bizarre.

cja · 2008-10-24 13:51:52

Profjim,
Thanks *very* much for your response. A minor adaptation to your script gives me the desired result:
---- snip : start ----
#!/usr/bin/env bash

RESULT=$(pinentry-curses --ttytype=xterm-color --lc-ctype=en_AU.UTF8 --ttyname=/dev/tty <<END | egrep '^(D|ERR)'
SETDESC Enter your SSH password:
SETPROMPT
GETPIN
END)

if [ "$RESULT" == "ERR 111 canceled" ]; then
exit 255
else
echo ${RESULT:2:${#RESULT}-2}
fi

RESULT=
---- snip : stop ----
The initial login on running encfs (as per my first post) works fine. There's still an issue with logins failing when the encfs-idle-time-out (=10mins) condition is met: substituting 'pinentry-curses' ---> pinentry-qt fixes the problem but obviously that's only of use to me for debugging purposes. I'll poke around a bit more before posting again.

Re. CLI vs curses i/face, I agree: simple CLI is the way to go. I can confirm pinentry doesn't support it and, like you, don't know of any other external password program that does. Still, your suggestion is the next best thing so I'm going with that.

And, yes, security implications anyone? (I've chmod'ed the ssh-askpass script to 700 and set ownership = <myusername>:users )

Thanks again, Profjim.

cja · 2008-10-24 22:59:14

The issue with 'logins failing when the encfs-idle-time-out (=10mins) condition is met' is that once the initial login succeeds, encfs goes into daemon mode, at which point it loses access to the original terminal
(see http://sourceforge.net/mailarchive/mess … okers.net). Not an issue if ssh-askpass is gui-based. Bah.

Here's what I'm going to do: Stick with ProfJim's script. If/when idle-time-out condition is met, (and ext-password call fails) and I lose access to the encrypted volume, do a re-encrypt / decrypt. Messy but it works well enough for my needs.

Arch Linux

#1 2008-10-22 04:04:16

Is there a cli version of x11-ssh-askpass?

#2 2008-10-22 15:58:19

Re: Is there a cli version of x11-ssh-askpass?

#3 2008-10-23 00:04:32

Re: Is there a cli version of x11-ssh-askpass?

#4 2008-10-23 12:19:47

Re: Is there a cli version of x11-ssh-askpass?

#5 2008-10-24 13:51:52

Re: Is there a cli version of x11-ssh-askpass?

#6 2008-10-24 22:59:14

Re: Is there a cli version of x11-ssh-askpass?

Board footer