Wednesday, April 1, 2015

SSH Passphrase Chaos

Surprise, We Moved your Cheese!

Recently I stumbled onto another Easter Egg left my the K/Ubuntu team. I was trying to connect to my webserver as usual, and instead of asking me for my SSH passphrase, a strange GUI dialog I have never seen before appeared:

Passphase GUI

I have a really long, randomly-generated passphrase that I store in KWallet. As the result of a different bug, I typically add it to the ssh-agent that runs at login by manually running a script.

The first couple of times this new dialog appeared I looked up my passphrase in KWallet, pasted it into the window, and moved on with what I was doing. Looking it up was a pain and running my script that adds the key to the agent did not change anything in regards to this dialog appearing, or not.

Confused, I looked in my KWallet. The passphrase was still there. As I often do, when in doubt, I deleted it. I tried logging into my server again. When this strange app asked, I put in my passphrase and clicked the “Remember when I login” option. I was hoping it would add my passphrase back to KWallet and things would be good again.

Things Get Really Weird

Typically, when you add your passphrase to ksshaskpass and tell it to remember it, you are asked to unlock your KWallet the first time you use your key. But now I was not getting asked for my KWallet password or my key’s passphrase. I have no idea where my passphrase was stored! I revoked ksshaskpass’s permission to KWallet, so I definitely know it is not there, or at least that ksshaskpass is not the program with the dialog (it’s been years since I last saw ksshaskpass’s dialog, so I do not exactly remember what it looked like – similar though).

A few days later, I noticed the same thing happened on my laptop. Since I had added my passphrase to the mystery application on my workstation, it had become a lot harder to figure out what was going on. Now the dialog was not appearing and I had limited options to figure out the issue.

With the same issue occurring on my laptop, I was now granted the opportunity to get to the bottom of things. This time I ran the system monitor to determine what app was running. I closed the dialog and tried logging into my server while watching the system monitor. This time, when the dialog appeared, I saw an application called gcr-prompter appear.

Something with prompt in the name told me I was likely on the right track. On the command line, I ran

$ locate gcr-prompter

I found that it is at /usr/lib/gcr/gcr-prompter. Next I ran

$ dpkg -S /usr/lib/gcr/gcr-prompter

I found out that it comes from the package gcr. dpkg -S is one of my favourite features of Debian/apt!

After searching for gcr-prompter, I found out that “gcr” is the “GNOME crypto services”. I do not know where this package came from or why it is was on my machine. Both of my machines have now been messed up by it, but I do not run GNOME on either of them.

When I searched for which packages depend on it, it was clear that it is in the task kubuntu-desktop. So, it appears this is standard in Kubuntu. I wish there was some communication on these things. It would be nice if, when when you upgraded, they would warn you that behaviours or packages xyz have changed. It is so frustrating to have such random things sprung on you with each upgrade.

I searched online and nothing reveals any sort of policy change. Even when seeking out this information, you cannot find it. It is very aggravating and I am getting toward my whit’s end with these breakages. I am tired of things randomly changing and having to spend hours fixing things when I am trying to get work done.

At this point I decided to just uninstall the gcr application:

$ sudo aptitude purge gcr
$ sudo apt-get autoremove

Based on this Q&A I found out where it hides its data.

As a result, I ran:

$ rm -rf .local/share/keyrings

Then I was able to run my script ~/bin/askpass.sh, re-add my passphrase to ksshaskpass and select the option to store it in KWallet.

Correct SSH Dialog

Everything back to normal… for now.

No comments:

Post a Comment