And I didn't test this carefully, my apologies :-( Whether gpg-agent can prompt the password depends on the pinentry program in use, but for pinentry-curses this also requires to pass TERM. Patch modified accordingly. From: Guilhem Moulin <guilhem@xxxxxxxxxxx> Subject: [PATCH] Pass GPG_TTY env var to the ssh binary gpg-agent(1) can emulate the OpenSSH Agent protocol (which provides pubkey-authentication using an authentication-capable OpenPGP key, in addition to the usual identity files). However for a console-based password prompt (such as pinentry-curses) to work, the ‘GPG_TTY’ environment variable needs to be set to the current TTY. Using gpg-agent's ssh-agent implementation is currently not possible for SSH remote URIs, because the environment is cleaned before calling the ssh(1) binary. The enclosed patches adds ‘GPG_TTY’ to the list of environment variables passed to the child. References: http://bugs.debian.org/843863 --- src/rpc/virnetsocket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c index 325a7c7..8d20074 100644 --- a/src/rpc/virnetsocket.c +++ b/src/rpc/virnetsocket.c @@ -839,6 +839,8 @@ int virNetSocketNewConnectSSH(const char *nodename, virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL); virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL); virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL); + virCommandAddEnvPassBlockSUID(cmd, "GPG_TTY", NULL); + virCommandAddEnvPassBlockSUID(cmd, "TERM", NULL); virCommandAddEnvPassBlockSUID(cmd, "DISPLAY", NULL); virCommandAddEnvPassBlockSUID(cmd, "XAUTHORITY", NULL); virCommandClearCaps(cmd); -- Guilhem.
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
