#187: [Tools] Add experimental pinentry application (#250)

This adds a pinentry application. Requirements: [ ] File `~/.pamusb/.pinentry.env` containing the following: [ ] PINENTRY_PASSWORD=yourGpgKeyPassword [ ] PINENTRY_FALLBACK_APP=/path/to/fallback/pinentry (eg /usr/bin/pinentry-gnome3 or whatever you're using right now) [ ] Configure GPG to use this application by setting it in ~/.gnupg/gpg-agent.conf. To do so add pinentry-program /path/to/pamusb-pinentry
mcdope · Aug 30, 2024 · 8ffa54b · 8ffa54b
1 parent ac03227
commit 8ffa54b
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 5 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -5,6 +5,7 @@ Ben Ferreri <49877943+benferreri@users.noreply.github.com>
 Chris Dituri <csdituri@gmail.com>
 Contarino Rosario <contarino.rosario@gmail.com>
 Dane Finlay <Danesprite@gmail.com>
+Dhruva Sambrani <dhruvasambrani19@gmail.com>
 Francisco Javier Tsao Santín <tsao@gpul.org>
 Gabriel Owczarski <gabriel@asus.(none)>
 Georg Hopp <georg@steffers.org>

diff --git a/Makefile b/Makefile
@@ -66,6 +66,7 @@ PAMUSB_CHECK := pamusb-check
 PAMUSB_CONF := pamusb-conf
 PAMUSB_AGENT := pamusb-agent
 PAMUSB_KEYRING_GNOME := pamusb-keyring-unlock-gnome
+PAMUSB_PINENTRY := pamusb-pinentry
 TOOLS_DEST := $(DESTDIR)$(PREFIX)/bin
 TOOLS_SRC := tools
 
@@ -145,7 +146,7 @@ install: all
 		$(PAM_USB_DEST)
 
 	$(INSTALL) -m755 $(PAM_USB) $(PAM_USB_DEST)
-	$(INSTALL) -m755 $(PAMUSB_CHECK) $(TOOLS_SRC)/$(PAMUSB_CONF) $(TOOLS_SRC)/$(PAMUSB_AGENT) $(TOOLS_SRC)/$(PAMUSB_KEYRING_GNOME) $(TOOLS_DEST)
+	$(INSTALL) -m755 $(PAMUSB_CHECK) $(TOOLS_SRC)/$(PAMUSB_CONF) $(TOOLS_SRC)/$(PAMUSB_AGENT) $(TOOLS_SRC)/$(PAMUSB_KEYRING_GNOME) $(TOOLS_SRC)/$(PAMUSB_PINENTRY) $(TOOLS_DEST)
 	$(INSTALL) -m644 $(DOCS) $(DOCS_DEST)
 	$(INSTALL) -m644 $(MANS) $(MANS_DEST)
 
@@ -156,13 +157,16 @@ install: all
 # force pam-auth-update config install if building a deb
 	if test $(DEB_TARGET_ARCH) != "" > /dev/null 2>&1; then mkdir -p $(PAM_CONF_DEST) && $(INSTALL) -m644 $(PAM_CONF) $(PAM_CONF_DEST)/libpam-usb; fi
 
+	update-alternatives --install /usr/bin/pinentry pinentry $(TOOLS_DEST)/pamusb-pinentry 100 || exit 0
+
 deinstall:
 	$(RM) -f $(PAM_USB_DEST)/$(PAM_USB)
 	$(RM) -f \
 		$(TOOLS_DEST)/$(PAMUSB_CHECK) \
 		$(TOOLS_DEST)/$(PAMUSB_CONF) \
 		$(TOOLS_DEST)/$(PAMUSB_AGENT) \
 		$(TOOLS_DEST)/$(PAMUSB_KEYRING_GNOME) \
+		$(TOOLS_DEST)/$(PAMUSB_PINENTRY) \
 		$(PAM_CONF_DEST)/$(PAM_CONF)
 
 	$(RM) -rf $(DOCS_DEST)

diff --git a/fedora/SPECS/pam_usb.spec b/fedora/SPECS/pam_usb.spec
@@ -43,6 +43,7 @@ rm -rf %{buildroot}/usr/share/pam-configs
 %attr(0755,root,root) /usr/bin/pamusb-check
 %attr(0755,root,root) /usr/bin/pamusb-conf
 %attr(0755,root,root) /usr/bin/pamusb-keyring-unlock-gnome
+%attr(0755,root,root) /usr/bin/pamusb-pinentry
 
 %config(noreplace) %attr(0644,root,root) /etc/security/pam_usb.conf
 

diff --git a/tools/pamusb-keyring-unlock-gnome b/tools/pamusb-keyring-unlock-gnome
@@ -19,15 +19,15 @@
 pamusb-check `whoami` > /dev/null 2>&1 || (logger -p local0.error -t ${0##*/}[$$] pamusb-check failed. && exit 1)
 
 # Check if password file exists, first try $HOME then the auth device
-if [ ! -f ~/.keyring_unlock_password ]; then
+if [ ! -f ~/.pamusb/.keyring_unlock_password ]; then
     logger -p local0.notice -t ${0##*/}[$$] No password file found, exiting.
     exit 0
 fi
 
 # Ensure file has 0600 (if FS supports it)
-PERMISSIONS=`stat -c "%a %n" ~/.keyring_unlock_password | awk '{print $1}'`
+PERMISSIONS=`stat -c "%a %n" ~/.pamusb/.keyring_unlock_password | awk '{print $1}'`
 if [ ! "$PERMISSIONS" = "600" ]; then
-    logger -p local0.error -t ${0##*/}[$$] Bad permissions on ~/.keyring_unlock_password. Please change them to 0600.
+    logger -p local0.error -t ${0##*/}[$$] Bad permissions on ~/.pamusb/.keyring_unlock_password. Please change them to 0600.
     exit 1
 fi
 
@@ -40,7 +40,7 @@ else
 fi
 
 # Read UNLOCK_PASSWORD from $KEYFILE
-. ~/.keyring_unlock_password
+. ~/.pamusb/.keyring_unlock_password
 
 # Perform unlock
 echo -n $UNLOCK_PASSWORD | gnome-keyring-daemon --daemonize --login \

diff --git a/tools/pamusb-pinentry b/tools/pamusb-pinentry
@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+#
+# Copyright (c) 2024 Dhruva Sambrani <dhruvasambrani19@gmail.com>
+#
+# This file is part of the pam_usb project. pam_usb is free software;
+# you can redistribute it and/or modify it under the terms of the GNU General
+# Public License version 2, as published by the Free Software Foundation.
+#
+# pam_usb is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+# Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+import os
+import subprocess
+import getpass
+from dotenv import load_dotenv
+load_dotenv(os.path.expanduser("~/.pamusb/.pinentry.env"))
+
+pinentryPassword = os.getenv('PINENTRY_PASSWORD')
+fallbackPinentryApp = os.getenv('PINENTRY_FALLBACK_APP')
+
+isAuthenticated = subprocess.run(["pamusb-check", getpass.getuser()], capture_output=True)
+if (isAuthenticated.returncode == 0):
+    print("OK Pleased to meet you")
+    while True:
+        line = input().split()
+        if line[0] == "GETPIN":
+            print("D %s" % pinentryPassword)
+        elif line[0] == "BYE":
+            exit()
+        print("OK")
+else:
+    subprocess.run(fallbackPinentryApp)