vodik / envoy Goto Github PK

A ssh/gpg-agent wrapper leveraging cgroups and systemd/socket activation

License: GNU General Public License v3.0

Python 3.03% C 80.67% Ragel in Ruby Host 13.14% Makefile 3.16%

envoy's Introduction

NOTICE

I've had a lot of fun developing and supporting this tool and learned temendously from developing it. However, I won't be dedicating much more effort into it going foward. Recent changes in gpg-agent have weakened the rational for using envoyd around gpg-agent.

Its simpler and better to just wrap gpg-agent in a service now. That leaves envoy-exec, for this configuration, the only useful component. I've seperated it into a seperate project gpg-tools under the name gpg-exec.

Those using ssh-agent can continue to use this project, but since I primarily use gpg-agent, I can't speak for the quality of it. I will continue to try to support this project and fix bugs.

envoy

Envoy helps you to manage SSH keys in a similar fashion to keychain, but is implemented in C and takes advantage of cgroups and systemd.

The daemon, envoyd, starts the agent of choice in a sanitized environment and caches the associated environmental variables in memory. The agent is started on demand and its lifetime is tracked through cgroups for accuracy. envoyd is typically started as root and can thus serve all the users on the system at once. It checks the credentials of the incoming connection and starts the agent under that uid/guid. If it is started as a user it will only be able to serve that particular user's requests.

The envoy command connects to the daemon and gets all the information associated with the current running agent. It can then do things like add new keys to the agent or output shell code to inject these variables into a shell.

This effectively allows a user to share a single long-running authentication agent between all shells and sessions in a clean and managed fashion that doesn't clutter user login sessions.

Setup

To setup envoy, first enable the socket:

# systemctl enable [email protected]    # to make ssh-agent the default agent
# systemctl enable [email protected]    # or to make it gpg-agent

Then add the following to your shell's rc file.

envoy [key ...]
source <(envoy -p)

The -t flag lets you override the default agent. So envoy -t gpg-agent will launch gpg-agent even if ssh-agent is the system default.

The envoyd daemon will also run just fine under a user session, just note that it won't be able to serve multiple users at once in this configuration.

Usage

usage: envoy [options] [key ...]
Options:
 -h, --help            display this help
 -v, --version         display version
 -d, --defer           defer adding keys until the next envoy invocation
 -a, --add             add private key identities
 -x, --expunge         remove private key identities
 -k, --kill            kill the running agent
 -r, --reload          reload the agent (gpg-agent only)
 -l, --list            list fingerprints of all loaded identities
 -u, --unlock=[PASS]   unlock the agent's keyring (gpg-agent only)
 -p, --print           print out environmental arguments
 -s, --sh              print sh style commands
 -c, --csh             print csh style commands
 -f, --fish            print fish style commands
 -t, --agent=AGENT     set the preferred agent to start

Note that when passing in keys, if they reside in ~/.ssh/, then just providing the filename is sufficient.

Envoy with ssh-agent

When invoking envoy causes ssh-agent to start, on that first run any keys passed to envoy will be added to the agent. The default behavior is to check for the presence of the files .ssh/id_rsa, .ssh/id_dsa, .ssh/id_ecdsa and .ssh/id_ed25519 and load those files if present.

Envoy with gpg-agent

Keys are never implicitly added with gpg-agent. Instead, keys have to be explicitly added through either envoy -a or ssh-add. The agent will then continue track those identities automatically without having to be specified in the future.

The agent will also still respect ~/.gnupg/gpg-agent.conf. For example, to disable scdaemon, put disable-scdaemon in that file.

Note that invoking envoy also updates gpg-agent with the current status, if available, of the tty and X. It is the same effect of running echo UPDATESTARTUPTTY | gpg-connect-agent. This may cause some odd behaviour with the pinentry. The pinentry may appear in an inappropriate place if this data becomes stale. This is a limitation of gpg-agent itself.

Envoy's pam integration

Envoy provides a pam module to load the agent into the environment at login instead of relying on envoy -p. To use it, edit /etc/pam.d/login and add:

session   optional    pam_envoy.so

Its also possible provide an optional argument to choose which agent type to start:

session   optional    pam_envoy.so    gpg-agent

Envoy can also optionally unlock gpg-agent's keyring automatically with your password, but in order to do so it needs an auth token. To enable this, add:

auth      optional    pam_envoy.so
session   optional    pam_envoy.so

Note that this relies on gpg-agent's passphrase presetting support. To enable this, ensure allow-preset-passphrase is also in ~/.gnupg/gpg-agent.conf.

Wrappers with envoy

Envoy has support for wrapping commands through envoy-exec. The utility will connect to the daemon, setup the environment, and launch the provided command. For example:

envoy-exec ssh [email protected]

It is also possible to write an envoy-exec "script" to provide a terser wrapper.

#!/usr/bin/envoy-exec
/usr/bin/ssh

This script will behave as if its been invoked as envoy-exec ssh.

Cgroups support

Having been unable to find a simple cgroups library targeted at embedding, I wrote my own. cgroups.c has been borrowed from my own project here.

Any bugs with the cgroups support or confusions with terminology (I'm pretty sure my terminology is way off) should be reported there.

envoy's People

Contributors

Stargazers

Watchers

Forkers

apsu gtmanfred mic92 waytai ragnardanneskjold zdzichu ramonmaruko gfa prodigeni wzugang ssaavedra blueyed linecode ashang 0xack13 kkpan11

envoy's Issues

Thunar support for remote location

Hi there,

First of all sorry if I don't fully comprehend the use cases of envoy. Yet I would like to use it as an lightweight gnome-keyring alternative to remember the passwords for remote locations in Thunar. The following screenshots shows how Thunar asks you whether you want to remember the password for the remote location forever.

Is it possible with envoy to store this password so that I do not have to enter it again?

Thanks ahead for your support!

gpg-agent backend fails if $GNUPGHOME is set

envoy fails to connect to gpg-agent backend if $GNUPGHOME is set with the following error:
envoy: failed to connect to GPG_AUTH_SOCK: No such file or directory
from a cursory inspection of the code, it seems that envoy.c calls everywhere
gpg_agent_connection(data->gpg, NULL)
and from gpg-protocol.rl we get:
struct gpg_t *gpg_agent_connection(const char *sock, const char *home)
...
len = snprintf(sa.un.sun_path, sizeof(sa.un.sun_path), "%s/.gnupg/S.gpg-agent", home ? home : get_home_dir())

this howrever is incorrect twice:

it ignores the env var that sets gnupg home
even if it'd read $GNUPGHOME were it set, it'd generate a socket path path along the lines of "$GNUPGHOME/.gnupg/S.gpg-agent", while if set it should actually generate "$GNUPGHOME/S.gpg-agent" if set and "$HOME/.gnupg/S.gpg-agent" if not set

Double free of struct gpg_t in pam_sm_authenticate

It looks like a struct gpg_t is freed twice in pam_envoy.c.
There is both a _cleanup_gpg_ attribute (that calls gpg_close) as well as a gpg_close at the end.
This leads to a crash when leaving the if section.

    if (data.status == ENVOY_RUNNING && data.type == AGENT_GPG_AGENT) {
        _cleanup_gpg_ struct gpg_t *agent = gpg_agent_connection(data.gpg, pwd->pw_dir);

        if (password) {
            const struct fingerprint_t *fpt = gpg_keyinfo(agent);
            for (; fpt; fpt = fpt->next) {
                if (gpg_preset_passphrase(agent, fpt->fingerprint, -1, password) < 0)
                    syslog(PAM_LOG_ERR, "failed to unlock '%s'", fpt->fingerprint);
            }
        }

        gpg_close(agent);
    }

is_dead can lie horribly

I'd bother you in IRC about this, but I might forget, so here's a bug report.

Your is_dead function only checks that a PID of the given number exists. Depending on when this is called, it might erroneously return. I suggest handling your signals, along with SIGCHLD in a signalfd descriptor that you can add to your epoll loop. This removes the crappy async/racy behavior of signals as well.

Feel free to nag me if this is unclear. 'man 2 signalfd' should get you started, though. systemd has some usage of this if you want an example (though it probably isn't the most straightforward).

timeout for keys

Specify timeout for the keys stored in memory. So it is more secure.

failed to create cgroup subsystem

I got the following error:

╭─[~]─[joerg@turing-machine]─[ruby-2.0.0-p195]
╰─[:(] % sudo /usr/bin/envoyd
envoyd: failed to create cgroup subsystem: No such file or directory

feel free to ask for additional information.

PAM not working under ArchLinux (using LightDM)

I enabled the envoy service with:

systemctl enable [email protected]

... added these to my /etc/pam.d/login:

auth      optional    pam_envoy.so
session   optional    pam_envoy.so    gpg-agent

... and added envoy id_rsa to my .zshrc, but it still doesn't work... there's something else I should configure to make it work? or is it a bug?

envoy-exec corrupts PATH.

PATH is garbled in the child processes.

user sessions seems to be broken on systemd 215

Starting gpg-agent for uid=1000 gid=100.
envoyd: dbus error: Process org.freedesktop.systemd1 exited with status 1
gpg-agent exited with status 1.

GNUPGHOME is ignored

For some reason GNUPGHOME is ignored when using envoy. If I just use source <(gpg-agent --daemon --enable-ssh-support) it works fine.

Envoy doesn't work with gnupg from git.

Git build of gpg-agent doesn't work with envoy. SSH_AGENT_PID isn't provided. Its presence isn't something envoy should be relying on anyways.

$ gpg-agent --daemon --enable-ssh-support
GPG_AGENT_INFO=/home/simon/.gnupg/S.gpg-agent:5282:1; export GPG_AGENT_INFO;
SSH_AUTH_SOCK=/home/simon/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;

RFE: support to replace gnome-keyring

hello,
do you plan to implement the dbus interfaces/whatever needs to make envoy a replacement for gnome-keyring?
ideally i would use envoy as a secret storage.

thanks!

Port to sd-bus

This will unfortunately set a hard dep on systemd>=221, so care must be taken to be somewhat backwards compatible.

Make envoy unlock ssh-agent/gpg-agent on login

I'd like envoy to provide some of the niceties of gnome-keyring.

gnome-keyring somehow allows you to "unlock" it on logging into your user account/session (apparently through a PAM module), and only asks you for a passphrase on keys it holds the first time you access them, then doesn't require typing them in from that point on.

I assume that how this actually works is that gnome-keyring's login keychain is keyed to your user's passphrase, which the pam module securely passes to the gnome-keyring-daemon process, and that it encrypts other passphrases and keys that you use/type in the first time, so it has direct access to them when the login keychain is unlocked if one of the agents it manages requests it.

I'm not willing to suggest you make envoy achieve gnome-keyring complexity or encrypt credentials for you, but if it were possible to force-unlock gpg-agent, for instance, that'd be awesome.

envoy -p fails: "envoy: agent failed to start, check envoyd's log"

From time to time envoy -p starts to fail for me. I am using it in ~/.zshrc:

envoy: agent failed to start, check envoyd's log

journalctl /usr/bin/envoyd gives me:

Dec 18 20:06:45 a.example.com envoyd[1336]: Agent gpg-agent for uid=1000 has terminated. Restarting...
Dec 18 20:06:45 a.example.com envoyd[1336]: Starting gpg-agent for uid=1000.
Dec 18 20:06:45 a.example.com envoyd[1336]: Unit envoy-gpg-agent-monitor-1000.scope already exists.gpg-agent[4488]: enabled debug flags: command mpi crypto memory cache memstat hashing ipc
Dec 18 20:06:45 a.example.com envoyd[1336]: gpg-agent: a gpg-agent is already running - not starting a new one
Dec 18 20:06:45 a.example.com envoyd[1336]: gpg-agent: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
Dec 18 20:06:45 a.example.com envoyd[1336]: outmix=0 getlvl1=0/0 getlvl2=0/0
Dec 18 20:06:45 a.example.com envoyd[1336]: gpg-agent: secmem usage: 0/32768 bytes in 0 blocks
Dec 18 20:06:45 a.example.com envoyd[1336]: gpg-agent exited with status 2.

And with debug-level guru in ~/.gnupg/gpg-agent.conf I get this in the log-file:

2015-12-18 20:06:45 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 9 started
2015-12-18 20:06:45 gpg-agent[1339] DBG: chan_9 -> OK Pleased to meet you, process 4488
2015-12-18 20:06:45 gpg-agent[4488] DBG: chan_5 <- OK Pleased to meet you, process 4488
2015-12-18 20:06:45 gpg-agent[4488] DBG: chan_5 -> BYE
2015-12-18 20:06:45 gpg-agent[1339] DBG: chan_9 <- BYE
2015-12-18 20:06:45 gpg-agent[1339] DBG: chan_9 -> OK closing connection
2015-12-18 20:06:45 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 9 terminated

The journalctl after a reboot:

-- Reboot --
Dec 18 19:47:04 a.example.com envoyd[1336]: Starting gpg-agent for uid=1000.
Dec 18 19:47:04 a.example.com envoyd[1336]: gpg-agent[1337]: enabled debug flags: command mpi crypto memory cache memstat hashing ipc
Dec 18 19:59:40 a.example.com envoyd[1336]: Agent gpg-agent for uid=1000 has terminated. Restarting...
Dec 18 19:59:40 a.example.com envoyd[1336]: Starting gpg-agent for uid=1000.
Dec 18 19:59:40 a.example.com envoyd[1336]: Unit envoy-gpg-agent-monitor-1000.scope already exists.gpg-agent[2000]: enabled debug flags: command mpi crypto memory cache memstat hashing ipc
Dec 18 19:59:40 a.example.com envoyd[1336]: gpg-agent: a gpg-agent is already running - not starting a new one
Dec 18 19:59:40 a.example.com envoyd[1336]: gpg-agent: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
Dec 18 19:59:40 a.example.com envoyd[1336]: outmix=0 getlvl1=0/0 getlvl2=0/0
Dec 18 19:59:40 a.example.com envoyd[1336]: gpg-agent: secmem usage: 0/32768 bytes in 0 blocks
Dec 18 19:59:40 a.example.com envoyd[1336]: gpg-agent exited with status 2.

From the gpg-agent.log:

2015-12-18 19:47:07 gpg-agent[1339] DBG: rsa_verify    => Good
2015-12-18 19:47:07 gpg-agent[1339] ssh request handler for sign_request (13) ready
2015-12-18 19:47:09 gpg-agent[1339] handler 0x7f76c9380700 for fd 9 started
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 -> OK Pleased to meet you, process 1488
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 <- RESET
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 -> OK
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 <- OPTION ttyname=/dev/pts/0
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 -> OK
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 <- OPTION ttytype=rxvt-unicode-256color
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 -> OK
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 <- OPTION display=:0
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 -> OK
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 <- OPTION xauthority=/home/user/.Xauthority
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 -> OK
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 <- UPDATESTARTUPTTY
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 -> OK
2015-12-18 19:47:09 gpg-agent[1339] DBG: chan_9 <- [eof]
2015-12-18 19:47:09 gpg-agent[1339] handler 0x7f76c9380700 for fd 9 terminated
2015-12-18 19:48:06 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 started
2015-12-18 19:48:06 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:48:06 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:48:06 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:48:06 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:48:06 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:48:06 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:48:06 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:48:06 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:48:06 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:48:06 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:48:06 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:48:06 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 terminated
2015-12-18 19:49:06 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 started
2015-12-18 19:49:06 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:49:06 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:49:06 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:49:06 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:49:06 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:49:06 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:49:06 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:49:06 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:49:06 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:49:06 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:49:06 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:49:06 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 terminated
2015-12-18 19:50:06 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 started
2015-12-18 19:50:06 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:50:06 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:50:06 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:50:06 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:50:06 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:50:06 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:50:06 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:50:06 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:50:06 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:50:06 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:50:06 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:50:06 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 terminated
2015-12-18 19:51:06 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 started
2015-12-18 19:51:06 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:51:06 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:51:06 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:51:06 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:51:06 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:51:06 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:51:06 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:51:06 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:51:06 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:51:06 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:51:06 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:51:06 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 terminated
2015-12-18 19:52:06 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 started
2015-12-18 19:52:06 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:52:06 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:52:06 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:52:06 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:52:06 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:52:06 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:52:06 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:52:06 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:52:06 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:52:06 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:52:06 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:52:06 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 terminated
2015-12-18 19:53:06 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 started
2015-12-18 19:53:06 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:53:06 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:53:06 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:53:06 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:53:06 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:53:06 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:53:06 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:53:06 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:53:06 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:53:06 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:53:06 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:53:06 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 terminated
2015-12-18 19:54:06 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 started
2015-12-18 19:54:06 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:54:06 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:54:06 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:54:06 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:54:06 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:54:06 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:54:06 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:54:06 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:54:06 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:54:06 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:54:06 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:54:06 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 terminated
2015-12-18 19:55:06 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 started
2015-12-18 19:55:06 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:55:06 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:55:06 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:55:06 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:55:06 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:55:06 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:55:06 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:55:06 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:55:06 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:55:06 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:55:06 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:55:06 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 terminated
2015-12-18 19:56:06 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 started
2015-12-18 19:56:06 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:56:06 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:56:06 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:56:06 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:56:06 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:56:06 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:56:06 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:56:06 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:56:06 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:56:06 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:56:06 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:56:06 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 terminated
2015-12-18 19:57:06 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 started
2015-12-18 19:57:06 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:57:06 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:57:06 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:57:06 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:57:06 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:57:06 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:57:06 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:57:06 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:57:06 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:57:06 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:57:06 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:57:06 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 terminated
2015-12-18 19:58:07 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 started
2015-12-18 19:58:07 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:58:07 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:58:07 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:58:07 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:58:07 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:58:07 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:58:07 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:58:07 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:58:07 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:58:07 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:58:07 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:58:07 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 terminated
2015-12-18 19:59:07 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 started
2015-12-18 19:59:07 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 19:59:07 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 19:59:07 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 19:59:07 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 19:59:07 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 19:59:07 gpg-agent[1339] DBG: chan_11 -> OK
2015-12-18 19:59:07 gpg-agent[1339] DBG: chan_9 <- D 1339
2015-12-18 19:59:07 gpg-agent[1339] DBG: chan_9 <- OK
2015-12-18 19:59:07 gpg-agent[1339] DBG: chan_9 -> BYE
2015-12-18 19:59:07 gpg-agent[1339] DBG: chan_11 <- BYE
2015-12-18 19:59:07 gpg-agent[1339] DBG: chan_11 -> OK closing connection
2015-12-18 19:59:07 gpg-agent[1339] handler 0x7f76c9380700 for fd 11 terminated
2015-12-18 19:59:40 gpg-agent[1339] handler 0x7f76c9380700 for fd 9 started
2015-12-18 19:59:40 gpg-agent[1339] DBG: chan_9 -> OK Pleased to meet you, process 2000
2015-12-18 19:59:40 gpg-agent[2000] DBG: chan_5 <- OK Pleased to meet you, process 2000
2015-12-18 19:59:40 gpg-agent[2000] DBG: chan_5 -> BYE
2015-12-18 19:59:40 gpg-agent[1339] DBG: chan_9 <- BYE
2015-12-18 19:59:40 gpg-agent[1339] DBG: chan_9 -> OK closing connection
2015-12-18 19:59:40 gpg-agent[1339] handler 0x7f76c9380700 for fd 9 terminated
2015-12-18 20:00:07 gpg-agent[1339] handler 0x7f76c8b7f700 for fd 11 started
2015-12-18 20:00:07 gpg-agent[1339] DBG: chan_11 -> OK Pleased to meet you, process 1339
2015-12-18 20:00:07 gpg-agent[1339] DBG: chan_9 <- OK Pleased to meet you, process 1339
2015-12-18 20:00:07 gpg-agent[1339] DBG: chan_9 -> GETINFO pid
2015-12-18 20:00:07 gpg-agent[1339] DBG: chan_11 <- GETINFO pid
2015-12-18 20:00:07 gpg-agent[1339] DBG: chan_11 -> D 1339
2015-12-18 20:00:07 gpg-agent[1339] DBG: chan_11 -> OK

I am using envoy-git 14.34.g963b231-1 on Arch Linux.

"A stop job is running for Envoy agent monitoring scope" during shutdown

I often see the above message during shutdown / reboot.

It will stay there usually for up to 1m29s.

It does not happen always, but often enough for me to taking a note from it on paper.

segfault with potential race condition

I have had this issue for quite a long time, but since it is not always I haven't taken the time to investigate or report it. It happens when I start up the computer and log in to my user account. I can quite easily reproduce it by rebooting and loging in several times. Usually my solution if it happens is to reboot and then it usually works the next time.

The result is that the systemd unit don't successfully start and sometimes affects other parts of the user systemd making that unusable.

I get this line in dmesg:

envoyd[481]: segfault at 0 ip 00007ff346ba22ff sp 00007ffc04f53b18 error 4 in libc-2.22.so[7ff346b0c000+19b000]

I get these in the journal:

Oct 25 09:31:25 falcon systemd-logind[518]: New session c1 of user terje.
Oct 25 09:31:26 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:27 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:28 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:29 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:30 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:31 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:33 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:34 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:35 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:36 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:37 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:38 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:40 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:41 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:42 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:43 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:44 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:45 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:47 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:48 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:49 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:50 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:51 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:52 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:54 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:55 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:56 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:57 falcon systemd[1]: Looping too fast. Throttling execution a little.
Oct 25 09:31:57 falcon login[1208]: pam_unix(login:session): session opened for user terje by (uid=0)
Oct 25 09:31:57 falcon login[1208]: pam_systemd(login:session): Cannot create session: Already occupied by a session
Oct 25 09:31:57 falcon envoyd[481]: Starting gpg-agent for uid=1000.
Oct 25 09:31:58 falcon kernel: envoyd[481]: segfault at 0 ip 00007ff346ba22ff sp 00007ffc04f53b18 error 4 in libc-2.22.so[7ff346b0c000+19b000]
Oct 25 09:31:58 falcon envoyd[481]: Connection timed out
Oct 25 09:31:58 falcon systemd[1]: [email protected]: Main process exited, code=dumped, status=11/SEGV
Oct 25 09:31:58 falcon systemd[1]: [email protected]: Unit entered failed state.
Oct 25 09:31:58 falcon systemd[1]: [email protected]: Failed with result 'core-dump'.
Oct 25 09:31:58 falcon systemd[1]: envoy-gpg-agent-monitor-1000.scope: Failed to add PIDs to scope's control group: No such process
Oct 25 09:31:58 falcon systemd[1]: Failed to start Envoy agent monitoring scope.
-- Subject: Unit envoy-gpg-agent-monitor-1000.scope has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit envoy-gpg-agent-monitor-1000.scope has failed.
-- 
-- The result is failed.
Oct 25 09:31:58 falcon systemd[1]: envoy-gpg-agent-monitor-1000.scope: Unit entered failed state.
Oct 25 09:31:58 falcon systemd[1]: Created slice user-1000.slice.
-- Subject: Unit user-1000.slice has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit user-1000.slice has finished starting up.
-- 
-- The start-up result is done.
Oct 25 09:31:58 falcon systemd[1]: Starting User Manager for UID 1000...
-- Subject: Unit [email protected] has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit [email protected] has begun starting up.
Oct 25 09:31:58 falcon systemd[1]: session-c1.scope: Failed to add PIDs to scope's control group: No such process
Oct 25 09:31:58 falcon systemd[1]: Failed to start Session c1 of user terje.
-- Subject: Unit session-c1.scope has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-c1.scope has failed.
-- 
-- The result is failed.
Oct 25 09:31:58 falcon systemd[1]: session-c1.scope: Unit entered failed state.

I am not sure if the Looping too fast. Throttling execution a little. is related in any way, but included it just in case. Please let me know if I can further debug this.

What makes me believe that this might be a race condition is that it sometimes works and sometimes doesn't.

presetting gpg keys with envoy -u

$ gpg-connect-agent <<<"KEYINFO --list"                           
S KEYINFO ACC465BD091B2EF5755EC09B5D570FD8DA585264 D - - - - - - -
S KEYINFO D9EE1C2B93CD1E52D939AF76F5E807CCAEC561C7 D - - - - - - -
OK

The above are ssh keygrips.

My gpg keygrip is DB83CF45B9FAAC82F7C7429DEB12F1C169B76D5D. If I do
envoy -u, and enter the password for the gpg key (DB83…), it returns;
strace shows presetting only for the two ssh keygrips above. After
this, attempting to use the gpg key results in a pinentry.

On the other hand, if I do

/usr/lib/gnupg/gpg-preset-passphrase --preset DB83CF45B9FAAC82F7C7429DEB12F1C169B76D5D

and enter the gpg passphrase, then I can use my gpg key without entering
a passphrase again.

gpg2 -K shows my key in secring.gpg, and DB83… is the keygrip of my pubkey shown in gpg --fingerprint --fingerprint <id>

gnupg 2.0.22-2
envoy 9c6551e

Add keys in pam module

It would be great if the pam module could add keys using my password as the passphrase (or prompting a second time if the passphrase is different), same as pam_ssh with try_first_pass (or use_first_pass if you don't want it to ever prompt).

Thanks!

Support for multiple agents per user

I currently use something like this to use gpg-agent and ssh-agent in parallel:

source <(ENVOY_SOCKET="@/vodik/envoy/gpg-agent" envoy --agent=gpg-agent --print)
source <(ENVOY_SOCKET="@/vodik/envoy/ssh-agent" envoy --print)

But wouldn't it be cleaner, if this is the default?

Envoy breaks on systemd-209

The dbus stuff starts failing, which isn't the end of the world. The problem is that its taking a long time to timeout.

Failed to chmod: No such file or directory

I have just installed the latest envoy from git and now I get the following error when I try to start [email protected]:

envoyd[464]: envoyd: failed to chmod: No such file or directory

After this the service fails and terminates.

ssh-add hangs in a busy loop

I'm using systemd/user to listen to a socket:

# envoy.socket
[Socket]
ListenStream=@/vodik/envoy

[Install]
WantedBy=sockets.target

# envoy.service
[Unit]
Description=Envoy agent monitor

[Service]
ExecStart=/usr/bin/envoyd -t ssh-agent

[Install]
WantedBy=default.target
Also=default.socket

In my shell I start envoy -p

#zshrc
source <(envoy -p)

This blocks my shell the first time I login. htop shows ssh-add -- running with 100% CPU usage.

gpg-agent no longer prompts with pinentry for ssh keys

The gnupg update from 2.1.7-1 -> 2.1.8-2 appears to be the culprit.

list gpg keys

envoy -l should show also gpg keys if the agent being used. gpg --list-keys seems to list any key in your keyring rather than ones that are currently managed, so it may not be useful like I thought it would be.

PAM unable to dlopen

Feb 26 15:05:48 vodik login[13625]: PAM unable to dlopen(/usr/lib/security/pam_envoy.so): /usr/lib/security/pam_envoy.so: undefined symbol: gpg_preset_passphrase
Feb 26 15:05:48 vodik login[13625]: PAM adding faulty module: /usr/lib/security/pam_envoy.so

failed to write agent data: Broken pipe

● [email protected] - Envoy agent monitor for gpg-agent
   Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled)
   Active: failed (Result: start-limit) since Mon 2014-08-25 10:56:52 EDT; 51s ago
     Docs: man:envoyd(1)
           man:envoy(1)
  Process: 2741 ExecStart=/usr/bin/envoyd -t %i (code=exited, status=1/FAILURE)
 Main PID: 2741 (code=exited, status=1/FAILURE)

Aug 25 10:56:52 vodik envoyd[2735]: gpg-agent exited with status 1.
Aug 25 10:56:52 vodik envoyd[2735]: envoyd: failed to write agent data: Broken pipe
Aug 25 10:56:52 vodik envoyd[2738]: Starting gpg-agent for uid=1000 gid=100.
Aug 25 10:56:52 vodik envoyd[2738]: envoyd: dbus error: Unit envoy-gpg-agent-monitor-1000.scope already exists.
Aug 25 10:56:52 vodik envoyd[2738]: gpg-agent exited with status 1.
Aug 25 10:56:52 vodik envoyd[2738]: envoyd: failed to write agent data: Broken pipe
Aug 25 10:56:52 vodik envoyd[2741]: Starting gpg-agent for uid=1000 gid=100.
Aug 25 10:56:52 vodik envoyd[2741]: envoyd: dbus error: Unit envoy-gpg-agent-monitor-1000.scope already exists.
Aug 25 10:56:52 vodik envoyd[2741]: gpg-agent exited with status 1.
Aug 25 10:56:52 vodik envoyd[2741]: envoyd: failed to write agent data: Broken pipe

pam_envoy does not work with systemd --user sessions

When you are running as the user, and want to add the environment variables to your user session, you can't because it fails to setuid to 0 before executing the putenv.

I have no idea how to go about fixing this, if it is at all possible to fix currently

User sessions are broken

I am trying to run envoy as a user unit session, since I wish to set my GPG homedir to a custom path and not force it upon all users of my system. Something similar was discussed here: #7. However, dbus causes issues with this.

README: NOTICE lacking references

Actually this is a personal request, no really an issue... but as it may be useful for others, I think it's worth opening it instead of sending a private e-mail.

You said that the recent changes in gpg-agent "deprecated" envoyd, but I found nothing in the changelogs explicit enough for me to understand how envoy could be replaced solely by gpg-agent.

There is any reference or documentation that could give this direction? Until now envoy has worked really well for me, but I personally prefer less dependencies for my system... so I'm really curious on how to achieve this setup.

pam_envoy doesn't unlock

Relevant lines in the journalctl. I edited pam_envoy.c to display data.status and data.type.
[email protected] is already enabled.

Mar 20 12:37:31 athena envoyd[286]: Starting gpg-agent for uid=1000.
Mar 20 12:37:31 athena lightdm[642]: pam-envoy: status: 1 type: 1
Mar 20 12:37:31 athena lightdm[642]: pam-envoy: expected status: 2 type: 1
Mar 20 12:37:31 athena lightdm[293]: ** (process:642): WARNING **: Error getting user list from org.freedesktop.Accounts: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Accounts was not provided by any .service files
Mar 20 12:37:31 athena lightdm[616]: pam_unix(lightdm-greeter:session): session closed for user lightdm
Mar 20 12:37:31 athena lightdm[642]: pam_unix(lightdm:session): session opened for user marco by (uid=0)
Mar 20 12:37:31 athena systemd-logind[292]: New session c2 of user marco.
Mar 20 12:37:31 athena systemd[649]: pam_unix(systemd-user:session): session opened for user marco by (uid=0)

Keep same environment with PAM / act as proxy for agent

I am using the PAM module, and it seems that (at least) envoy --kill will result in the environment to become out of date.

Would it be possible for envoy to wrap the agent (I am using gpg-agent currently), so that killing and restarting it would not require you to use eval "$(envoy -p)" to update the environment to the new one?
E.g. by making envoy manage the sockets and act as a proxy to the real agent?

I know that I have used envoy --kill while I really wanted envoy --expunge instead, but it made me wonder.

I am using this in /etc/pam.d/common-session on Ubuntu:

session   optional    pam_envoy.so gpg-agent

failed to add key

Hi. Thanks for great app!

But i have problem with adding key:

vtolstov@selfip ~> strace -ff -v -F envoy  -a .ssh/git
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
socket(PF_LOCAL, SOCK_STREAM, 0)        = 3
connect(3, {sa_family=AF_LOCAL, sun_path=@"/vodik/envoy"}, 15) = -1 ECONNREFUSED (Connection refused)
exit_group(0)                           = ?
+++ exited with 0 +++

Before that i'm already do

systemctl enable [email protected]
systemctl enable [email protected]

Envoy is broken in gpg-agent from -git

SSH_AGENT_PID isn't reported anymore. pid needs to be parsed out of GPG_AUTH_SOCK

pam_envoy doesn't inject environmental variables correctly.

pam_envoy only injects GPG_AGENT_INFO when status is ENVOY_RUNNING, ignoring ENVOY_STARTED

Add a mention of gpg-agent.socket to the README

It was far from obvious to me that systemctl enable [email protected] was what I was interested in!

From 36539dfc2fb14316023c92c3e085f0f61be48c00 Mon Sep 17 00:00:00 2001
From: Magnus Therning <[email protected]>
Date: Tue, 10 Jun 2014 15:32:03 +0200
Subject: [PATCH] Add mention of gpg-agent.socket in README.

Signed-off-by: Magnus Therning <[email protected]>

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index bf0d979..d2b153f 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,7 @@ To setup envoy, first enable the socket:

     # systemctl enable [email protected]

+(If you want to use `gpg-agent` then run `systemctl enable [email protected]` instead.)
 Then add the following to your shell's rc file.

     envoy -t ssh-agent [key ...]     # gpg-agent also supported
-- 
2.0.0

unlocking ssh-agent keys via pam

As I understood it's possible to unlock ssh-keys automatically using pam auth with pam_envoy. However this useful feature doesn't work (at least) for me. I'd appreciate any ideas regarding debugging this issue.

envoy v8-12-g8a2881f

missing-call-to-setgroups-before-setuid

rpmlint complains:

E: missing-call-to-setgroups-before-setuid /usr/lib64/security/pam_envoy.so
E: missing-call-to-setgroups-before-setuid /usr/bin/envoyd

This has potential security implications:
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this mean it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.

gpg-agent not retaining keys

With gnupg 2.0.20, the password for my gpg key is prompted every time it is used for encrypting, signing, etc. Right now I'm using the pam module with the line session optional pam_envoy.sh gpg-agent.

Workaround:

install gnupg-git
restart envoy.service
issue envoy -t gpg-agent in the shell

At this point everything is back to normal.

I haven't tested without the pam module.

security implications of serving several users at once

Doesn't this decrease security, because the private keys of different users are kept in the same process? A buffer overflow in envoy may compromise the private keys of all users. Using one process per user does not have this problem.

envoy might cause X server to freeze/lock (processes are STOPped)

I've seen it occasionally that the X server would appear to have frozen, usually when switching back to it (I am using two Xorg instances, through startx).

This happened occasionally and I could not reproduce it.

I am using envoy-exec in a script started from .xprofile, which runs in the background.

And now I've noticed that this also happens during login already when the gpg-agent.conf contains a non-existent entry for pinentry-program: pinentry-program /usr/bin/pinentry-qt4 (which recently moved to /usr/bin/pinentry-qt on Arch Linux).

I am using -t gpg-agent with envoy, via systemctl enable [email protected].

Presetting support for gpg keys other than the ssh keyring

disable scdaemon

it's useless!

Don't load keys (or ask for a passphrase) during envoy startup

Envoy will ask for a passphrase immediately after its first invocation. If a desktop environment calls /usr/bin/envoy during startup, envoy will block execution until a passphrase is entered (the same happens during bash login). It would be convinient to be able to start envoy daemon without any keys loaded into it and load them later by running ssh-add or during the first invocation of ssh (which will ask for a pass). Maybe a command line option like -n would make sense.

eval is evil!

The README suggests that you add "eval $(envoy -p)" to your shell config, but eval is evil! For the low low cost of one extra character, you can use source instead, like so: source <(envoy -p)

build fixes

Can you add ability to pass libdir for Makefile?
Now i need to

sed -i -e "s:/usr/lib/security:/${LIBDIR}/security:" Makefile
sed -i -e "s:/usr/lib:/usr/${LIBDIR}:" Makefile

envoy needs to be started after dbus to work correctly

i had a lot of problems lately as the service file starts envoy at the same time as dbus, if i change it to start envoy after dbus the problems disappear.

clarify envoy license

i see some files have GPL3 headers, can you clarify further and add a COPYING or LICENSE file?

thanks!

Strange behavior using pam_envoy without same password in keys

Well, first things first: the #37 was fixed (at least for me) in the last commits... not sure which one, but it works perfectly right now! Thank you :)

But I would like to note that there's a strange behavior when the keys and the user password aren't the same:
When trying to use gpg after I authenticated with LightDM, it will give me an pinentry (in this case pinentry-gtk-2) asking me for the passphrase... okay, everything good until here. In the same terminal, if I try something that will use the gpg-agent as ssh-agent (for example git push), it will simply give me this:

Agent admitted failure to sign using the key.
Permission denied (publickey).

... without even asking me anything!

At the same time, if I just authenticate through an tty, the behaviors will be switched: The gpg will give me the following (yes, always twice):

gpg: signing failed: Operation cancelled
gpg: signing failed: Operation cancelled

...again, without asking me anything first. And the ssh command (again, git push) will give me the pinentry (now pinentry-curses) correctly!

AAAAAAND (don't know if I should fill another issue for this one, if I should just tell me and I'll do it) if I authenticate on both LightDM and another tty at the same time... the chaos reigns. When I use anything in the terminal at my desktop, the pinentry will show on the tty as pinentry-curses, and if I try the same on the tty... it appears nowhere!

I would imagine that envoy-exec is here to help in the last situation by setting where the pinentry will appear... but unfortunately it just gives me the following on envoy-exec git push:

[1]    15029 segmentation fault (core dumped)  envoy-exec git push

If my account password and gpg key are the same, everything said works fine... but the envoy-exec git push still crashes.

Add unit tests

...