Re: [Monotone-devel] keyring integration from a user POV

[Justin Patrin]

On 4/8/07, Benoît Dejean <address@hidden> wrote:
> Le samedi 07 avril 2007 à 11:16 -0700, Justin Patrin a écrit :
> > On 4/6/07, Benoît Dejean <address@hidden> wrote:
>
> (i've reordered email content)
>
> > I had updated the manual with lots of info about the ssh-agent
> > integration but I don't see it online...strange. I also created a page
> > on the wiki with a bunch of information, including some FAQs that may
> > answer your questions.
> >
> > http://www.venge.net/mtn-wiki/MonotoneAndSSHAgent
> >
> > Let us know if this doesn't answer your questions.
>
> Useful link but it answers only a few of my questions
>
> > >
> > > - Why is it using ssh-agent if it doesn't really need to ? I mean it
> > > used to work without by using the hook. On windows where i don't run any
> > > ssh-agent, it works as it used to be.
>
> It seems to me that the password hook and ssh-agent are both trying to
> get my key. Maybe it's just a matter of order : 1) hook 2) ssh-agent ?
> Is the password hook obsolete ?

They're not both "trying to get your key". The signature code (and
anywhere else that needs it) is what gets your key.

ssh-agent support is supposed to supercede the password hook. It is
far more secure than leaving your key password in plaintext on your
hard drive. If you use both then you won't ever have to enter your
password (as it will be in the hook) and mtn will also add it to
ssh-agent. However, this isn't how it's meant to be used.

> > > - Who is asking for unlocking my main real ssh key ?

To see if ssh-agent has your mtn key in it it has to list the keys
that ssh-agent has. It sounds like your agent is unlocking the keys in
order to list them. This sounds to me like a bit of a misnomer as
listing keys only gets you the public part, not the private part.

> > > - Do i have control over the ssh key monotone is using ?
>
> Yes. The wiki says i can export it and manually add it. Do i really need
> to add it everytime ? What if monotone stored my ssh key in
> ~/.monotone/sshkeys/<id> and automatically add it ? Monotone ssh keys
> are not meant for ssh, having a dedicated keystore makes sense to me.

There is only one "ssh-agent" keystore and these are the keys that
have been added to ssh-agent. It doesn't matter where your keys
reside, they will all be tried when you ssh if they're in ssh-agent.
You don't need to export your mtn key and manually add it to ssh-agent
as, explained in the manual and on that page, mtn will automatically
add your key to ssh-agent when it is first used. Here's an example:

$ ssh-agent /bin/bash
$ mtn ci
Enter passphrase:
Revision XXXX comitted
$ #edit some files
$ mtn ci
Revision XXXX comitted

In this case mtn will ask for your passphrase and add the key to
ssh-agent automatically so that you don't have to enter the passphrase
again later. Compare to:

$ ssh-agent /bin/bash
$ ssh-add /path/to/mtn.key
Enter passphrase:
Key XXXX added
$ mtn ci
Revision XXXX comitted

In this case you manually add your mtn key to ssh-agent and ssh-add
asks for your passphrase. Either way you do this you have to enter
your passphrase only once so, unless you have a special use-case for
using ssh-add maually you can not worry about having your key exported
for ssh and let mtn add it to ssh-agent automatically.

(I personally have my key exported and automatically added to my agent
with SSHKeychain on Mac OS X.)

> > > - Is it always the same key ? Is it random or computed from my monotone
> > > key ?
>
> It looks like yes, it is always the same key.

Yes, of course. mtn uses your mtn key to do signing. It will never
touch any other keys in your agent (except to list them).

> > > - Can i create a SSH key for monotone only so i would be able to
> > > statically import it in my keyring ? Can i associate my monotone key
> > > with my main SSH key ?
>
> The wiki says yes but it's not very handy to do so.

I'm not sure what you mean bya ssociating keys. mtn needs to use the
key you generate with mtn, at least for now. There is currently no
support for importing external rsa keys into mtn. If you wanted to use
your mtn key for sshing you could export it and use its public part to
authorize connections but it's generally seen as a good thing to have
separate keys for these things.

(You can always use a "keychain/agent" type of program that has a
master password that then unlocks the passwords for individual keys
for you.)

> > > - How can i see the link between SSH keys and monotone keys ?

If you let mtn add your key to ssh-agent it should be obvious which is
the mtn key as it will have your "id" as the comment. ssh-agent by
default uses the path to the key file.

> > > - Why about using SSH keys for monotone and dropping its custom key
> > > format ?
>
> I really like to talk about this. I understand that monotone has its own
> key format, but the recent ssh-agent integration makes a lot of sense.
> What about totally relying on ssh key format ? I am a bit lost with
> having two keys for the same ID.

You don't have 2 keys. It's one key. If you export it then you have it
in 2 *formats*, but it's only one key. For now, monotone is keeping
its own internal format for its own keystore because I didn't want to
touch that part of the code. ;-) Actually, if you look closely at the
exported key, it doesn't use the same standard format that ssh-keygen
exports as. It is readable by ssh-agent but in a different format.

It would make some sense to migrate mtn to use the same format in its
own keystore.

> New question:
>
> If i want to change the password of my monotone key, does it also change
> the ssh key password ?

You mean if you export your mtn key as an ssh key will changing the
password change both? No. A password is not really tied to a key, it's
tied to the exported format of the key. If you change your passphrase
for your mtn key with mtn then you would need to re-export it to have
the ssh-agent readable key also have the same password. Note that the
exporting process asks for a new password. It's perfectly fine to have
your mtn key in mtn and your exported key have different passphrases.

To think of it another way, if you copied an ssh key to a new file and
changed the password on the original file, the copy would still have
the old password.

--
Justin Patrin