Bug 81067 - using kwallet as an ssh-agent
Summary: using kwallet as an ssh-agent
Status: CONFIRMED
Alias: None
Product: kdelibs
Classification: Frameworks and Libraries
Component: kwallet (show other bugs)
Version: 0.1
Platform: unspecified Linux
: NOR wishlist
Target Milestone: ---
Assignee: kdelibs bugs
URL:
Keywords:
: 82485 87312 121086 278184 282417 291992 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-05-06 23:21 UTC by Mathieu Jobin
Modified: 2022-09-06 12:06 UTC (History)
29 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
script looks if there is an AGENT running and use it or start one. (392 bytes, text/plain)
2004-06-27 03:14 UTC, Mathieu Jobin
Details
kwallet-askpass.sh (1.13 KB, text/plain)
2008-10-06 15:10 UTC, Matt Whitlock
Details
kwallet-askpass.sh (sans bashisms) (1.15 KB, text/plain)
2008-11-05 02:32 UTC, Matt Whitlock
Details
kwallet-askpass.sh (fixed typo) (1.15 KB, text/plain)
2008-11-05 02:37 UTC, Matt Whitlock
Details
modified script to get password from wallet (1.46 KB, application/x-sh)
2009-03-26 10:12 UTC, cam34
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mathieu Jobin 2004-05-06 23:21:12 UTC
Version:           1.0 (using KDE 3.2.1, Gentoo)
Compiler:          gcc version 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)
OS:          Linux (i686) release 2.6.5-gentoo-r1

would it be possible that kwallet act as an SSH agent ?
it could store my SSH key, and when I ssh somewhere, it would publish do the job of ssh-agent or pageant (putty)

just an idea.
Comment 1 Francis Irving 2004-06-24 10:09:13 UTC
It might be fine (if a bit evil, but easier to implement) for KWallet to store a passphrase, and launch a separate SSH agent.  Otherwise you'll have to do something clever with the SSH agent code, KWallet and the file format for public keys.
Comment 2 Mathieu Jobin 2004-06-27 03:08:29 UTC
good idea, kwallet can just make sure there is a ssh-agent running and trigger the ssh-add call for every keys stored in the configfile.

I'll attached a script i wrote quickly, just for the sake


Comment 3 Mathieu Jobin 2004-06-27 03:14:28 UTC
Created attachment 6484 [details]
script looks if there is an AGENT running and use it or start one.
Comment 4 George Staikos 2004-11-06 16:37:10 UTC
*** Bug 87312 has been marked as a duplicate of this bug. ***
Comment 5 George Staikos 2004-11-06 16:38:40 UTC
*** Bug 82485 has been marked as a duplicate of this bug. ***
Comment 6 Mathieu Jobin 2004-11-06 18:39:08 UTC
to replace my script, there is a package made by gentoo that is also, at least, available for SuSe, so I suppose that may become something standard.

http://www.gentoo.org/proj/en/keychain/index.xml

on top of that, there is another package called "gtk2-ssh-askpasswd" or something, which loads before KDE to ask the extra passwd.

I suppose, instead of asking for the passwd, it would be stored in the wallet, and only the the part to load the ssh key into the agent is needed.

well, if the passwd for the key is not found in the wallet, I suppose kwallet has to ask it.

Comment 7 Mathieu Jobin 2004-11-06 18:40:06 UTC
*** This bug has been confirmed by popular vote. ***
Comment 8 David Anderson 2005-02-05 13:16:07 UTC
See also bug 97419 which was requesting something similar (from a user's point of view). See the comment with a suggestion for a SSH_ASKPASS-compatible app using kwallet. (This seems to be slightly different to what is suggested in this bug, but maybe easier to implement).
As a sysadmin with about 30 machines under my control, being able to have all those passwords in kwallet would be very nice, however it is done!
Comment 9 Mathieu Jobin 2005-11-09 18:55:10 UTC
I just thought of something there....
instead of kwallet being an SSH agent, or having a password-less kwallet like some people like to have. kwallet could have to authentification, one is password, second is using the ssh key already loaded by the ssh agent.

I think most people who wanted a password-less kwallet was stricly because they had to time their password twice or three times (login, ssh, wallet)

the big advantage of having kwallet storing the ssh key and passphrase would be to allow user to have multiple ssh key. but I don't know how common is that ?

so maybe an easier work around would to allow kwallet to be automatically open without a password using an ssh-agent. but requiring a password in other cases.

so a login process could be something like this. you register your ssh-key in the kcontrol first. then when you login, kdm is using your password to try to load the ssh key on login so you don't have to type your password twice and kwallet is opening automaticaly when requested using the ssh-key authentification.


what do you guys think ? 

is that easier/better ?
Comment 10 Thiago Macieira 2005-11-10 11:34:14 UTC
KWallet cannot be passwordless because the password encrypts the data. If you remove the password, the contents are unprotected.

So this will only work if whatever backend supplies KWallet a decryption key. Can ssh-agent do that?
Comment 11 Mathieu Jobin 2005-11-11 23:16:08 UTC
Oh I thought kwallet had already a password less mode. because I remember tons of people asking for it on a separate ticket. anyway, it makes sens that it needs a password if it use it as an encryption. makes things more complicated to automatically open the wallet on agent discovery.

could kwallet use the ssh-private key when the agent is loaded ?

Comment 12 George Staikos 2006-01-31 15:31:29 UTC
*** Bug 121086 has been marked as a duplicate of this bug. ***
Comment 13 Mathieu Jobin 2006-04-13 07:26:14 UTC
maybe I repeat myself, but basically. if gtk2-ssh-askpass-0.3 program would be rewritten with kdelibs and kwallet support. it would just fetch the password from the wallet and open the regular ssh-agent. if not found in the kwallet, it would that act just like gtk2-ssh-askpass and ask for the password.

NB: gtk2-ssh-askpass is a tiny GUI utility that ask your ssh-key password on logon. it works well with kdm and kde, but I would rather have it integrated with kwallet.

thanks

Comment 14 Andreas Bayer 2006-11-09 13:26:14 UTC
Maybe when kwallet is coming up, it could start keychain, a script for controlling ssh-agent and gpg-agent, with all ssh and gpg keys it has. 

keychain is a simple to use program.
Comment 15 Christoph Bartoschek 2006-12-15 14:19:17 UTC
I have created a small program that fetches the ssh passphrase from KWallet and uses it to add the key to ssh-agent. You can find it at
http://www.pontohonk.de/kde/ssh.html
Comment 16 Mathieu Jobin 2006-12-16 10:43:02 UTC
excellent, now kwallet just need to auto-open using the session password (kdm). 
thus only one password will be necessary.
Comment 17 Mathieu Jobin 2006-12-20 05:55:36 UTC
just a quick comment to confirm the solution in comment #15 is working like a charm. i don't need this gtk-ask-pass anymore. and thus I only have the session password and the wallet password to type.

Comment 18 Andreas Bayer 2006-12-20 08:45:06 UTC
May be the small program in comment #15 could be extended. Perhaps ist could be used for gpg/pgp keys too. Or could be used for bluetooth authentication.
Comment 19 Mathieu Jobin 2006-12-21 14:33:48 UTC
another small comment

here is the content of my autostart file

somekool@krypton ~ $ cat .kde/Autostart/ssh-add.sh
#!/bin/sh
export SSH_ASKPASS=$HOME/bin/askpass
keychain id_rsa
source ~/.keychain/`uname -n`-sh
#/usr/bin/ssh-add

somekool@krypton ~ $             


simply calling ssh-add would not do the trick. but it works fine with keychain.
Comment 20 Christoph Bartoschek 2006-12-22 15:23:22 UTC
Your remark in comment #19

Why is keychain needed? What is the error when you use ssh-add alone?
Comment 21 Mathieu Jobin 2006-12-23 14:50:42 UTC
it create or keeps the ssh-agent, call ssh-add automatically as well and set shell variable ( I'm not exactly sure, but I think its what it does, after all, the idea of using highlevel tools is to not care about implementation ;) )

SSH_AUTH_SOCK=/tmp/ssh-nAoUks9274/agent.9274; export SSH_AUTH_SOCK;
SSH_AGENT_PID=9275; export SSH_AGENT_PID;

I did not get an error with ssh-add, it just did not work, i dont know why.
ssh-add path was correct. i guess, ssh-add did not know what agent to add it too. i dont know.

Comment 22 Matthias Himber 2007-04-01 17:23:25 UTC
There are kwallet-compatible replacements for ssh-agent and ssh-askpass at http://hanz.nl/p/program. Might be a starting point.
Comment 23 Matt Whitlock 2008-10-06 13:38:56 UTC
Just store the unencrypted SSH private key directly in the wallet (let the wallet handle encrypting it on disk) and supply it to ssh on demand using the same Unix socket protocol that ssh-agent uses.  There's no need for a separate key file, passphrase, or ssh-agent process.  The ssh-agent socket protocol is dirt simple; KWallet should just implement it directly.  Then the only moderately difficult part is importing SSH keys into the wallet without ever writing them to disk unencrypted.
Comment 24 Matt Whitlock 2008-10-06 15:10:13 UTC
Created attachment 27714 [details]
kwallet-askpass.sh

Until such time as KWallet implements the ssh-agent protocol, I have coded up an askpass-style script to let ssh-add read passphrases from the KDE4 wallet via D-bus.

To use it, you need to add a folder to your wallet called 'ssh-agent' and add passwords to it, each given as its name the full absolute path to an SSH private key file, such as '/home/wendy/.ssh/id_rsa'.  Then add an auto-start script that calls ssh-add thusly:
SSH_ASKPASS=/path/to/kwallet-askpass.sh ssh-add < /dev/null &

Of course, the agent has to be running already.  For that, I recommend uncommenting the lines in the agent-startup.sh and agent-shutdown.sh scripts that come with KDE.
Comment 25 Frank 2008-11-01 15:32:26 UTC
This package
http://www.kde-apps.org/content/show.php/kssh-add?content=76675

Does the whole thing very seamlessly.  Sorry Matt, I couldn't make your scripts work, but this more or less does the same.

Personally, I don't always want to run ssh-add at startup, so I use

alias ssh='if [[ ! `ssh-add -l| grep .ssh | wc -l` > 0 ]]; then ssh-add < /dev/null; fi;	ssh'

in my .bashrc so that I run ssh-add if it doesn't already have the passphrase.
Comment 26 Frank 2008-11-01 15:43:33 UTC
The problem I had with kwallet-askpasss.sh was:
>sh ./kwallet-askpass.sh
./kwallet-askpass.sh: 13: Syntax error: "(" unexpected
Comment 27 Matt Whitlock 2008-11-02 07:34:19 UTC
(In reply to comment #25)
> This package
> http://www.kde-apps.org/content/show.php/kssh-add?content=76675
> 
> Does the whole thing very seamlessly.

That appears to be for KDE 3.5, whose KWallet uses DCOP rather than D-Bus for interprocess communication.  My script is for the KWallet in KDE 4.

(In reply to comment #26)
> The problem I had with kwallet-askpasss.sh was:
> >sh ./kwallet-askpass.sh
> ./kwallet-askpass.sh: 13: Syntax error: "(" unexpected

Not sure if functions are a POSIX shell feature or a bash extension.  It might work if you remove the () after get_string, since the parens are optional (and mistakenly I put them on one function declaration but not on the other).  If that doesn't work, try changing the shebang line to #!/bin/bash.  sh on my system is actually bash, but on some systems it's something else.
Comment 28 Matthew Woehlke 2008-11-03 23:55:25 UTC
functions are a POSIX shell feature, however the syntax 'function foo() { ... }' is not. I think both 'function foo { ... }' and 'foo() { ... }' are supported, but using both the keyword and ()'s is a syntax error that bash happens to tolerate.
Comment 29 Adrian Friedli 2008-11-04 00:21:19 UTC
checkbashisms [1] is your friend, when you have to make a script POSIX compatible.

[1] http://svn.debian.org/viewsvn/devscripts/trunk/scripts/checkbashisms.pl?view=markup
Comment 30 Matt Whitlock 2008-11-05 02:32:23 UTC
Created attachment 28336 [details]
kwallet-askpass.sh (sans bashisms)

Thank you, Matthew Woehlke and Adrian Friedli.  I have updated my script to remove the bashisms.
Comment 31 Matt Whitlock 2008-11-05 02:37:51 UTC
Created attachment 28337 [details]
kwallet-askpass.sh (fixed typo)

Argh, sorry for the comment spam.  I had a typo. :(
Comment 32 Oswald Buddenhagen 2008-11-29 09:26:47 UTC
wtf, re-add everyone to the cc list ...
Comment 33 cam34 2009-03-26 10:12:44 UTC
Created attachment 32405 [details]
modified script to get password from wallet

This code still doesn't work but now spits out the correct password, but ssh-add is not playing nice and reading it in.
Comment 34 Jimmy Berry 2009-12-23 01:03:18 UTC
I fiddled around with retrieving folders from kwallet and such, but that didn't seem to be as easy as attempt to just read the .ssh directory.

Someone else may know a good way to filter ssh keys or what-not (I am not a shell script pro), but this seems to get the idea across.

for i in `ls --hide=*pub ~/.ssh`
do
  i=`readlink -f ~/.ssh/${i}`
  echo $i
  password=$(${dbus_send}readPassword int32:${handle} string:"${APPID}" string:"${i}" string:"${APPID}" | get_string)
  if [ "${password}" != "" ]
  then
    `echo $password > ssh-add $i` # not sure this works, but you get the idea
  fi
done
Comment 35 Tomas Åkesson 2010-02-28 17:10:55 UTC
The script works for me, but only after I have logged in. If I use it in .kde/Autostart I get the following messages in .xsession-errors:

Error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken

I tried to start kwalletd in the script but without success.

The app in comment #15 works as it should, so I guess the script is missing some initialization process. It would be nice to use the script though because it's easier to modify.

Using OpenSUSE 11.2 and KDE 4.4.0.
Comment 36 Bruno Bigras 2010-02-28 17:26:49 UTC
If you want a quick working solution, install Ksshaskpass and put a script in the ~/.kde/Autostart directory that has :

#!/bin/sh
SSH_ASKPASS=/usr/bin/ksshaskpass /usr/bin/ssh-add < /dev/null

chmod u+x that script and enjoy. It works perfectly for me and I don't need to start kwallet myself.
Comment 37 Davor Cubranic 2010-03-12 18:28:28 UTC
(In reply to comment #27)
> (In reply to comment #25)
> > This package
> > http://www.kde-apps.org/content/show.php/kssh-add?content=76675
> > 
> > Does the whole thing very seamlessly.
> 
> That appears to be for KDE 3.5, whose KWallet uses DCOP rather than D-Bus for
> interprocess communication.  My script is for the KWallet in KDE 4.

Ksshaskpass (http://www.kde-apps.org/content/show.php/show.php?content=50971) now runs on KDE 4.
Comment 38 Jekyll Wu 2011-09-21 14:38:30 UTC
*** Bug 282417 has been marked as a duplicate of this bug. ***
Comment 39 Jekyll Wu 2012-01-02 01:41:47 UTC
*** Bug 278184 has been marked as a duplicate of this bug. ***
Comment 40 Alex 2012-02-06 09:33:33 UTC
That would be awesome!
Comment 41 Mathieu Jobin 2013-01-23 01:47:19 UTC
bump ! ;) please
Comment 42 Steven Roose 2015-06-15 20:51:30 UTC
I currently get prompts all over when using SmartGit. I just use SSH keys with a passphrase, but every time (even on fetches), KWallet prompts and afterwards the SSH key password is prompted. It's getting pretty tiresome.
Comment 43 Giovanni Tirloni 2015-06-30 16:27:34 UTC
At least on kde5, running ssh from Konsole does not trigger ksshaskpass because ssh requires that it's NOT running from a terminal to trigger $SSH_ASKPASS. I don't know how it used to work in the past but I remember it indeed worked (I'd get a GUI prompt for my SSH passphrase if I invoked ssh from a terminal window).
Comment 44 michaelk83 2022-09-06 12:06:26 UTC
*** Bug 291992 has been marked as a duplicate of this bug. ***