Avoid pinentry-gtk-2 when using console!
Roger
rogerx at sdf.lonestar.org
Tue Jun 2 22:43:01 CEST 2009
On Tue, 2009-06-02 at 12:31 +0200, Werner Koch wrote:
> On Sun, 31 May 2009 07:49, rogerx at sdf.lonestar.org said:
>
> > if {environmental variable is set to console/gtk/qt3}
> > use the specified pinentry flavor
>
> You can easily implement this with a little pinentry wrapper script and
> using the PINENTRY_USER_DATA envvar which is passed all the way from gpg
> to Pinentry.
Again, still sounds like a hack as (I could have done this here). It's
the reason for posting this issue to this list (since others have the
same issue on the Internet).
> > I'm guessing, the current solution is to assume the user is a dumb X
> > user. ;-)
>
> Definitely not. Pinentry pops up and grabs the keyboard for a good
> reasons: This makes it much harder to preset a faked Pinentry prompt and
> sniff the Passphrase entered by the user. The curses version can't do
> that and thus the default is to use an X window if XDISPLAY is set. If
> you fear faked popup windows you may modify pinentry to show a custom
> image.
Think it's paranoia unless one is on a public network or is being
aggressively sought after all the time. If this is a issue, it sounds
more sensible for the administrator to use a compile time flag
(or .gnupg/option statement or environmental variable) which seeks to
make gpg/pinentry usage stricter.
Of course, then you run into a problem with users having access to their
$HOME/.gnupg option versus an /etc/gnupg file preventing writing for
enabling such a feature. Hence, a compile time option being better.
> I am using gpg-agent for many years now and do almost all my work in
> xterms and Emacs. It does not bother me if Pinentry popups due to
> background jobs every hour or so.
This is what drove me up the wall with Evolution. Granted, it enhances
security if you're always entering the pin, but quickly hinders if a
user rarely uses gpg/pgp.
(Granted, I find X useful and prefer still strongly prefer the console.
Just don't try forcing the X windows down my throat like Windows
does. ;-)
In summary -- from info gathered from this thread -- there is no coded
solution besides hacking the current files with a script that will
permit the user to use the terminal /usr/bin/pinentry
or /usr/bin/pinentry-curses while within X. (Except unsetting the X
display variable which which then would cause all X apps to fail when
starting from the terminal.)
--
Roger
http://rogerx.freeshell.org
More information about the Gnupg-users
mailing list