Re: Entering a passphrase interactively in a runit script

From: Jan Pobrislo <ccx_at_webprojekty.cz>
Date: Thu, 26 May 2016 12:14:28 +0200

On Wed, 25 May 2016 12:50:50 +0200
Christophe-Marie Duquesne <chmd_at_chmd.fr> wrote:

> Hi,
>
> I am trying to write a runit script that would require a passphrase
> when starting. This passphrase must not exist in clear on the
> filesystem, and it would require user interaction.

You can use the various implementations of ssh-askpass or gnupg's
pinentry. You will need to maintain a TTY (perhaps in tmux) or X11
instance for that to work. Still, as others pointed out, non-restartable
services are peculiar.

> I tried to have runit read the passphrase into the environment of the
> script:
>
> read -s PASSPHRASE
> exec prog # reads PASSPHRASE from the environment

That does not store the passphrase in the environment. That stores it in
a shell variable (specification calls it parameter). You need to add:

export PASSPHRASE

for it to get "exported" to the process environment. But be aware that
the environment is generally freely readable by any other process and
thus it's pretty useless for secret passphrases.

Better approach might be to give your service a command to call to
obtain the passphrase, which then may be implemented in variety of ways.
One such way is http://www.passwordstore.org/ which stores passphrases
in gnupg-encrypted files and you would be able to grant access to it to
the service via gpg-agent.
Received on Thu May 26 2016 - 10:14:28 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:44:19 UTC