+++ /dev/null
-[[!meta title="MonkeySphere can't deal with passphrase-locked primary keys"]]
-
-At the moment, the only tool we have to export passphrase-locked
-secret keys from the GPG keyring is `gpg` itself (and `gpg2`, which
-has roughly the same behavior).
-
-As a result, we have the `seckey2sshagent` hack, which is unfriendly
-and awkward to use.
-
-Ideally, `openpgp2ssh` would be able to convert passphrase-locked
-secret keys into clean subkeys. However, i've tried to do this via
-GnuTLS, and that library is not ready for this.
-
-OpenCDK, which is the component of GnuTLS which reads OpenPGP-style
-keys, cannot cope with encrypted secret key material. I have had
-[some
-success](http://lists.gnu.org/archive/html/gnutls-devel/2008-06/msg00092.html)
-in getting GnuTLS's OpenCDK to accept the existence of encrypted
-secret key packets, [i learned that OpenCDK as included in GnuTLS is
-incapable of dealing with the encrypted packets
-themselves](http://lists.gnu.org/archive/html/gnutls-devel/2008-07/msg00012.html).
-
-
-Some possible resolutions:
-
----------
-
-If we can assume that the passphrase-encrypted key we want to use is
-actually a subkey, and if we could fix GnuTLS to ignore the use of the
-"gnu-dummy S2K" produced by `gpg --export-secret-subkeys` for the
-primary key, then something like the following script should actually
-work for reasonable values of `$KEYID`:
-
- TMPDIR=$(mktemp -d)
- umask 077
- mkfifo "$TMPDIR/passphrase"
- kname="MonkeySphere Key $KEYID"
- mkfifo "$TMPDIR/$kname"
- ssh-askpass "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" &
- gpg --passphrase-fd 3 3<"$TMPDIR/passphrase" \
- --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \
- --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname" &
- (cd "$TMPDIR" && ssh-add -c "$kname")
- rm -rf "$TMPDIR"
-
-Good news! [I've crafted a patch for GnuTLS to enable it to read
-exported subkeys using this GNU
-extension](http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html),
-so if we can get it incorporated into upstream (and/or into debian),
-we have a possible solution, as long as the authentication key is a
-subkey, and not a primary key.
-
-As of version 0.11-1, `monkeysphere subkey-to-ssh-agent` implements
-this particular strategy (and fails cleanly if the version of GnuTLS
-present doesn't support the GNU dummy S2K extension).
-
----------
-
-Ben Laurie and Rachel Willmer's
-[OpenPGPSDK](http://openpgp.nominet.org.uk) is a candidate: this is a
-C-based library that intends to implement RFC 4880 functionality.
-
-We could potentially re-write `openpgp2ssh` using this library, and it
-*should* be able to handle everything we need from the OpenPGP side
-(though it might need to be re-linked to OpenSSL to handle PEM-encoded
-exports.
-
-Concerns:
-
-* OpenPGPSDK is not in debian yet, and doesn't currently (2008-08-13)
- build with gcc 4.2 or 4.3.
-
-* OpenPGPSDK uses the apache license and appears to link to OpenSSL,
- which has a GPL-incompatible license. I think this would mean that
- `openpgp2ssh` could not remain GPL (though the rest of the
- monkeysphere could).
-
----------
-
-We could try to use perl. The last time i checked, the pure-perl
-OpenPGP implementations all depended on Math::PARI, which [is not in
-debian](http://bugs.debian.org/440527). The most likely candidate is
-[Crypt::OpenPGP](http://search.cpan.org/~btrott/Crypt-OpenPGP),
-despite [some
-bugginess](http://cpanratings.perl.org/dist/Crypt-OpenPGP).
-
-Concerns:
-
-* the aforementioned buggy reviews
-
-* there's a lot of dependency chasing to get anything like this
- available in debian.
-
----------
-
-Other alternatives?
-
---------
-
-Can this bug be closed? dkg [reported in a comment for a related
-bug](/bugs/install-seckey2sshagent-in-usr-bin/):
-
- Version 0.11-1 now has the monkeysphere subkey-to-ssh-agent
- subcommand, which works cleanly in the presence of a
- functionally-patched GnuTLS.
-
---------
-
-Even with the patched GnuTLS, monkeysphere currently can't currently
-deal with passphrase-locked primary keys. I've changed the title of
-this bug, but i'd like to keep it open until we are able to deal with
-that. The other comments here seem still quite relevant to that
-need.
-
-I've changed the title of this bug to reflect the narrowed scope.
-
- --dkg
projects / monkeysphere.git / blobdiff