random ssh keys (╯°□°)╯︵ ┻━┻ gnome-keyring
assistant: Work around horrible, terrible, very bad behavior of gnome-keyring, by not storing special-purpose ssh keys in ~/.ssh/*.pub. Apparently gnome-keyring apparently will load and indiscriminately use such keys in some cases, even if they are not using any of the standard ssh key names. Instead store the keys in ~/.ssh/annex/, which gnome-keyring will not check. Note that neither I nor #debian-devel were able to quite reproduce this problem, but I believe it exists, and that this fixes it. And it certianly won't hurt anything..
This commit is contained in:
Joey Hess
parent
dd7e35ed97
commit
aca9e4f0b4
3 changed files with 25 additions and 4 deletions
|
|
@ -160,11 +160,18 @@ genSshKeyPair = withTempDir "git-annex-keygen" $ \dir -> do
|
|||
{- Installs a ssh key pair, and sets up ssh config with a mangled hostname
|
||||
- that will enable use of the key. This way we avoid changing the user's
|
||||
- regular ssh experience at all. Returns a modified SshData containing the
|
||||
- mangled hostname. -}
|
||||
- mangled hostname.
|
||||
-
|
||||
- Note that the key files are put in ~/.ssh/annex/, rather than directly
|
||||
- in ssh because of an **INSANE** behavior of gnome-keyring: It loads
|
||||
- ~/.ssh/*.pub, and uses them indiscriminately. But using this key
|
||||
- for a normal login to the server will force git-annex-shell to run,
|
||||
- and locks the user out. Luckily, it does not recurse into subdirectories.
|
||||
-}
|
||||
setupSshKeyPair :: SshKeyPair -> SshData -> IO SshData
|
||||
setupSshKeyPair sshkeypair sshdata = do
|
||||
sshdir <- sshDir
|
||||
createDirectoryIfMissing True sshdir
|
||||
createDirectoryIfMissing True $ parentDir $ sshdir </> sshprivkeyfile
|
||||
|
||||
unlessM (doesFileExist $ sshdir </> sshprivkeyfile) $ do
|
||||
h <- fdToHandle =<<
|
||||
|
|
@ -178,7 +185,7 @@ setupSshKeyPair sshkeypair sshdata = do
|
|||
setSshConfig sshdata
|
||||
[ ("IdentityFile", "~/.ssh/" ++ sshprivkeyfile) ]
|
||||
where
|
||||
sshprivkeyfile = "key." ++ mangleSshHostName sshdata
|
||||
sshprivkeyfile = "annex" </> "key." ++ mangleSshHostName sshdata
|
||||
sshpubkeyfile = sshprivkeyfile ++ ".pub"
|
||||
|
||||
{- Setups up a ssh config with a mangled hostname.
|
||||
|
|
|
|||
6
debian/changelog
vendored
6
debian/changelog
vendored
|
|
@ -32,6 +32,12 @@ git-annex (4.20130406) UNRELEASED; urgency=low
|
|||
Thanks, guilhem for the patch.
|
||||
* Added per-remote annex-rsync-transport option.
|
||||
Thanks, guilhem for the patch.
|
||||
* assistant: Work around horrible, terrible, very bad behavior of
|
||||
gnome-keyring, by not storing special-purpose ssh keys in ~/.ssh/*.pub.
|
||||
Apparently gnome-keyring apparently will load and indiscriminately use
|
||||
such keys in some cases, even if they are not using any of the standard
|
||||
ssh key names. Instead store the keys in ~/.ssh/annex/,
|
||||
which gnome-keyring will not check.
|
||||
|
||||
-- Joey Hess <joeyh@debian.org> Sat, 06 Apr 2013 15:24:15 -0400
|
||||
|
||||
|
|
|
|||
|
|
@ -18,4 +18,12 @@ git-annex version: 4.20130324, Ubuntu 11.04
|
|||
|
||||
**Please provide any additional information below.**
|
||||
|
||||
|
||||
> [[done]]. Although I have not 100% reproduced this, I have seen
|
||||
> enough of the source code to gnome-keyring to be pretty sure it's at
|
||||
> fault, and that my fix works.
|
||||
>
|
||||
> If this is happening to you, you can fix it by making a `~/.ssh/annex/`
|
||||
> directory and moving `~/.ssh/key.annex*` to it. Then you'll need to edit
|
||||
> `~/.ssh/config` to use the new path to the key. And you'll need to run
|
||||
> `ssh-add -D` to clear out the bogus keys from the ssh agent (or log out
|
||||
> and back in). --[[Joey]]
|
||||
|
|
|
|||
Loading…
Reference in a new issue