I use public-key based access for a number of things and
gpg-agent
is a useful way to avoid having to
repeatedly type the passphrases needed to unlock the
private-keys. The agent prompts you for the passphrase and then
uses the unlocked keys for a user-determined time-period. For a
number of reasons it is a "good thing" if this prompting happens
in a different interface from that where the key is being used.
In an X window environment this is done by the
pinentry-gtk
avatar of pinentry
which
pops up a new window.
However, I use screen
to multiplex operations
within a single terminal session, often without an X session. It
used to bother me that I could not get
pinentry-curses
to pop up in a different window. No
more ;). Here is a hack that seems to work.
-
Decide on some location like $HOME/.gnupg/pin-tty and assign it to the variable PINTTY.
-
Use the additional options
--ttypath $PINTTY
,--ttytype screen
and--keep-tty
forgpg-agent
. -
Start a screen window with the command
screen -M -t pin socat -,raw,echo=0 PTY,link=$PINTTY
Now everytime a program asks gpg-agent
to use a
secret-key, it will invoke pinentry-curses
which
will connect to the pin
window under
screen
; the latter will warn you (-M
)
that something is asking for a passphrase.
It would be nice if one did not have to invoke
socat
and screen could do step (3) directly.
Is there any way to integrate the use of
gpg-agent
with openvpn
when the latter
uses SSL keys?
There may be some security issues with such use! I can't see any at the moment but I may be wrong. :-(