Bug#843863: libvirt-clients: Can't use gpg-agent's ssh-agent implementation with a console-based pinentry

Guilhem Moulin Thu, 10 Nov 2016 02:27:52 -0800

Package: libvirt-clients
Version: 2.4.0-1+b1
Severity: normal
Tags: patch

Dear Maintainer,


gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides
pubkey-authentication using an authentication-capable OpenPGP key, in
addition to the usual identity files).  However for a console-based
password prompt (such as pinentry-curses) to work, the ‘GPG_TTY’
environment variable needs to be set to the current TTY.

Using gpg-agent's ssh-agent implementation is currently not possible for
SSH remote URIs, because the environment is cleaned before calling the
ssh(1) binary.  The enclosed patches adds ‘GPG_TTY’ to the list of
environment variables passed to the child.

Thanks for maintaining libvirt in Debian!
Cheers
-- 
Guilhem.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libvirt-clients depends on:
ii  libapparmor1        2.10.95-6
ii  libaudit1           1:2.6.7-1
ii  libavahi-client3    0.6.32-1
ii  libavahi-common3    0.6.32-1
ii  libc6               2.24-5
ii  libcap-ng0          0.7.7-3
ii  libdbus-1-3         1.10.12-1
ii  libdevmapper1.02.1  2:1.02.133-1
ii  libgnutls30         3.5.5-6
ii  libnl-3-200         3.2.27-1
ii  libnl-route-3-200   3.2.27-1
ii  libnuma1            2.0.11-2
ii  libreadline7        7.0-1
ii  libsasl2-2          2.1.27~72-g88d82a3+dfsg-1
ii  libselinux1         2.6-3
ii  libssh2-1           1.7.0-1
ii  libvirt0            2.4.0-1+b1
ii  libxen-4.8          4.8.0~rc3-1
ii  libxml2             2.9.4+dfsg1-2.1
ii  libyajl2            2.1.0-2

libvirt-clients recommends no packages.

Versions of packages libvirt-clients suggests:
ii  libvirt-daemon  2.4.0-1+b1

-- no debconf information

From 45494adf56fbfa69ed69226e0bee4c584ffda167 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guil...@guilhem.org>
Date: Thu, 10 Nov 2016 11:17:05 +0100
Subject: [PATCH] Pass GPG_TTY env var to the ssh binary

---
 src/rpc/virnetsocket.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 405f5ba..95cda86 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -839,6 +839,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
     virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL);
     virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL);
     virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL);
+    virCommandAddEnvPassBlockSUID(cmd, "GPG_TTY", NULL);
     virCommandAddEnvPassBlockSUID(cmd, "DISPLAY", NULL);
     virCommandAddEnvPassBlockSUID(cmd, "XAUTHORITY", NULL);
     virCommandClearCaps(cmd);
-- 
2.10.2

signature.asc
Description: PGP signature

Bug#843863: libvirt-clients: Can't use gpg-agent's ssh-agent implementation with a console-based pinentry

Reply via email to