Re: Entering a passphrase interactively in a runit script
...if the goal is to avoid storing a private key in plaintext, can that private key live in a hardware store (PKCS#11, TPM, etc) instead? On Thu, May 26, 2016 at 8:49 AM Steve Littwrote: > On Thu, 26 May 2016 14:16:16 +0100 > Jonathan de Boyne Pollard > wrote: > > > Christophe-Marie Duquesne: > > > Any idea how to proceed? > > > > You're running a daemon. It really shouldn't have an interactive > > user interface. Remember the lessons that resulted in Session 0 > > Isolation in Windows NT. > > The more I read of this thread, the more I think it's a bad idea to > have a boot-instantiated daemon acquire a password by any means, and > the more I think maybe a completely different approach might be more > appropriate. So let me ask the original poster a few questions: > > * What does this daemon do? > * How many users does the machine have? > - At one time? > - Ever? > * Would all the machine's users be expected to know the password? > * Did you write the daemon yourself? > * Why does it need to be a supervised daemon, rather than just a > program the user runs? > > Thanks, > > SteveT > > Steve Litt > May 2016 featured book: Rapid Learning for the 21st Century > http://www.troubleshooters.com/rl21 >
Re: Entering a passphrase interactively in a runit script
On Thu, 26 May 2016 14:16:16 +0100 Jonathan de Boyne Pollardwrote: > Christophe-Marie Duquesne: > > Any idea how to proceed? > > You're running a daemon. It really shouldn't have an interactive > user interface. Remember the lessons that resulted in Session 0 > Isolation in Windows NT. The more I read of this thread, the more I think it's a bad idea to have a boot-instantiated daemon acquire a password by any means, and the more I think maybe a completely different approach might be more appropriate. So let me ask the original poster a few questions: * What does this daemon do? * How many users does the machine have? - At one time? - Ever? * Would all the machine's users be expected to know the password? * Did you write the daemon yourself? * Why does it need to be a supervised daemon, rather than just a program the user runs? Thanks, SteveT Steve Litt May 2016 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21
Re: Entering a passphrase interactively in a runit script
On Wed, 25 May 2016 12:50:50 +0200 Christophe-Marie Duquesnewrote: > Hi, > > I am trying to write a runit script that would require a passphrase > when starting. This passphrase must not exist in clear on the > filesystem, and it would require user interaction. You can use the various implementations of ssh-askpass or gnupg's pinentry. You will need to maintain a TTY (perhaps in tmux) or X11 instance for that to work. Still, as others pointed out, non-restartable services are peculiar. > I tried to have runit read the passphrase into the environment of the > script: > > read -s PASSPHRASE > exec prog # reads PASSPHRASE from the environment That does not store the passphrase in the environment. That stores it in a shell variable (specification calls it parameter). You need to add: export PASSPHRASE for it to get "exported" to the process environment. But be aware that the environment is generally freely readable by any other process and thus it's pretty useless for secret passphrases. Better approach might be to give your service a command to call to obtain the passphrase, which then may be implemented in variety of ways. One such way is http://www.passwordstore.org/ which stores passphrases in gnupg-encrypted files and you would be able to grant access to it to the service via gpg-agent.