Re: Entering a passphrase interactively in a runit script

2016-05-26 Thread Charles Duffy 
...if the goal is to avoid storing a private key in plaintext, can that
private key live in a hardware store (PKCS#11, TPM, etc) instead?

On Thu, May 26, 2016 at 8:49 AM Steve Litt 
wrote:

> On Thu, 26 May 2016 14:16:16 +0100
> Jonathan de Boyne Pollard 
> wrote:
>
> > Christophe-Marie Duquesne:
> > > Any idea how to proceed?
> >
> > You're running a daemon.  It really shouldn't have an interactive
> > user interface.  Remember the lessons that resulted in Session 0
> > Isolation in Windows NT.
>
> The more I read of this thread, the more I think it's a bad idea to
> have a boot-instantiated daemon acquire a password by any means, and
> the more I think maybe a completely different approach might be more
> appropriate. So let me ask the original poster a few questions:
>
> * What does this daemon do?
> * How many users does the machine have?
> - At one time?
> - Ever?
> * Would all the machine's users be expected to know the password?
> * Did you write the daemon yourself?
> * Why does it need to be a supervised daemon, rather than just a
>   program the user runs?
>
> Thanks,
>
> SteveT
>
> Steve Litt
> May 2016 featured book: Rapid Learning for the 21st Century
> http://www.troubleshooters.com/rl21
>

Re: Entering a passphrase interactively in a runit script

2016-05-26 Thread Steve Litt 
On Thu, 26 May 2016 14:16:16 +0100
Jonathan de Boyne Pollard 
wrote:

> Christophe-Marie Duquesne:
> > Any idea how to proceed?  
> 
> You're running a daemon.  It really shouldn't have an interactive
> user interface.  Remember the lessons that resulted in Session 0
> Isolation in Windows NT.

The more I read of this thread, the more I think it's a bad idea to
have a boot-instantiated daemon acquire a password by any means, and
the more I think maybe a completely different approach might be more
appropriate. So let me ask the original poster a few questions:

* What does this daemon do?
* How many users does the machine have?
- At one time?
- Ever?
* Would all the machine's users be expected to know the password?
* Did you write the daemon yourself?
* Why does it need to be a supervised daemon, rather than just a
  program the user runs? 

Thanks,

SteveT

Steve Litt 
May 2016 featured book: Rapid Learning for the 21st Century
http://www.troubleshooters.com/rl21

Re: Entering a passphrase interactively in a runit script

2016-05-26 Thread Jan Pobrislo 
On Wed, 25 May 2016 12:50:50 +0200
Christophe-Marie Duquesne  wrote:

> Hi,
> 
> I am trying to write a runit script that would require a passphrase
> when starting. This passphrase must not exist in clear on the
> filesystem, and it would require user interaction.

You can use the various implementations of ssh-askpass or gnupg's
pinentry. You will need to maintain a TTY (perhaps in tmux) or X11
instance for that to work. Still, as others pointed out, non-restartable
services are peculiar.

> I tried to have runit read the passphrase into the environment of the
> script:
> 
> read -s PASSPHRASE
> exec prog # reads PASSPHRASE from the environment

That does not store the passphrase in the environment. That stores it in
a shell variable (specification calls it parameter). You need to add:

export PASSPHRASE

for it to get "exported" to the process environment. But be aware that
the environment is generally freely readable by any other process and
thus it's pretty useless for secret passphrases.

Better approach might be to give your service a command to call to
obtain the passphrase, which then may be implemented in variety of ways.
One such way is http://www.passwordstore.org/ which stores passphrases
in gnupg-encrypted files and you would be able to grant access to it to
the service via gpg-agent.