Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keychain workaround #4583

Closed
Vintodrimmer opened this Issue Dec 10, 2017 · 14 comments

Comments

Projects
None yet
3 participants
@Vintodrimmer
Copy link

Vintodrimmer commented Dec 10, 2017

➤  fish --version
fish, version 2.7.0
➤ uname -a
Linux chrysalis 4.14.4-chrysalis #2 SMP PREEMPT Fri Dec 8 19:23:34 CET 2017 x86_64 GNU/Linux
➤ echo $TERM
st-256color

I'm trying to run

eval `keychain --eval --agents ssh github`

but get the following error:

fish: Unknown command '`keychain'
- (line 1):
begin; `keychain --eval --agents ssh github`
       ^
from sourcing file -
        called on line 60 of file /usr/share/fish/functions/eval.fish

in function “eval”
        called on standard input

If I try to run it as follows: eval (keychain --eval --agents ssh github), I get the following errors:

 * keychain 2.8.4 ~ http://www.funtoo.org
 * Found existing ssh-agent: 9119
 * Known ssh key: /home/eichhorn/.ssh/github

- (line 1): Unsupported use of '='. In fish, please use 'set SSH_AUTH_SOCK /tmp/ssh-BSemsj3nLWGP/agent.9118'.
begin; SSH_AUTH_SOCK=/tmp/ssh-BSemsj3nLWGP/agent.9118; export SSH_AUTH_SOCK; SSH_AGENT_PID=9119; export SSH_AGENT_PID;
       ^
from sourcing file -
        called on line 60 of file /usr/share/fish/functions/eval.fish

in function “eval”
        called on standard input

- (line 1): Unsupported use of '='. In fish, please use 'set SSH_AGENT_PID 9119'.
begin; SSH_AUTH_SOCK=/tmp/ssh-BSemsj3nLWGP/agent.9118; export SSH_AUTH_SOCK; SSH_AGENT_PID=9119; export SSH_AGENT_PID;
                                                                             ^
from sourcing file -
        called on line 60 of file /usr/share/fish/functions/eval.fish

in function “eval”
        called on standard input

I understand that fish is not POSIX compatible and it's probably not going to work directly.

My workaround right now is to launch dash, run the comand there and then launch fish from the dash. That way everything works as it should, but it's rather inconvenient.

What would be a better way of doing that?

I tried doing it with a script:

#!/bin/sh
KEY=$1

eval `keychain --eval --agents ssh ${KEY}`

but there is no effect as I still get the "Permission denied error".

@zanchey zanchey added the question label Dec 10, 2017

@zanchey

This comment has been minimized.

Copy link
Member

zanchey commented Dec 10, 2017

keychain determines what kind of output to produce based on your $SHELL environment variable, which is set (usually) by your login process.

One method would be to put begin; set -lx SHELL $__fish_bin_dir/fish ; eval (keychain --eval --agents ssh github); end in your .config/fish/config.fish.

However, a preferred method is to start keychain in your login or interactive shells only, and then to source the files it produces:

if status --is-interactive
    keychain --quiet --agents ssh github
end

begin
    set -l HOSTNAME (hostname)
    if test -f ~/.keychain/$HOSTNAME-fish
        source ~/.keychain/$HOSTNAME-fish
    end
end
@Vintodrimmer

This comment has been minimized.

Copy link
Author

Vintodrimmer commented Dec 10, 2017

keychain determines what kind of output to produce based on your $SHELL

Didn't know that, thank you!

Your second solution works, but requires me to activate keychain and insert the password when I launch terminal with fish, which is not the best way for me, especially if I need just one key from many.

So I ended up with the following function:

➤ function kchain
      export SHELL=fish
      eval (keychain --eval --agents ssh $argv)
      export SHELL=dash
  end

One small question, is there a way to pass a number of arguements? As $1 $2 and so on in bash?
That way I can also specify SSH or GPG.

@zanchey

This comment has been minimized.

Copy link
Member

zanchey commented Dec 10, 2017

You can slice $argv, which is a list:

function foo
   echo First argument $argv[1]
   echo Second argument $argv[2]
   echo And the rest $argv[2..-1]
   echo All arguments backwards $argv[-1..1]
end
foo (seq 1 6)
First argument 1
Second argument 2
And the rest 2 3 4 5 6
All arguments backwards 6 5 4 3 2 1
@Vintodrimmer

This comment has been minimized.

Copy link
Author

Vintodrimmer commented Dec 10, 2017

Thanks!

@gour

This comment has been minimized.

Copy link
Contributor

gour commented Feb 18, 2018

@Vintodrimmer Hello, can you please share the whole snippet required to have working keychain with ssh,gpg agents under fish shell?

@Vintodrimmer

This comment has been minimized.

Copy link
Author

Vintodrimmer commented Feb 18, 2018

@gour Good evening! I use the version posted above, since my only use for GPG right now is "pass".

If you want both gpg and ssh, I'd suggest something like this:

➤ cat ~/.config/fish/functions/kchain.fish
function kchain
        export SHELL=fish
        eval (keychain --$argv[3] --eval --agents $argv[1] $argv[2])
        export SHELL=dash
end

You need $argv[3] for the GPGv2 support, as the keychain defaults to the GPGv1.

Now if you want to use GPGv2 key "arst" you would go kchain gpg arst gpg2, for GPGv1 you would go kchain gpg arst and for SSH kchain ssh arst.

If you use exclusively GPGv1 or GPGv2, you can just hardcode it into the snippet and remove the 3rd argument.

@gour

This comment has been minimized.

Copy link
Contributor

gour commented Feb 18, 2018

If you want both gpg and ssh, I'd suggest something like this:

How/when do you invoke kchain.fish function?

I'd expect to run it after login...

You need $argv[3] for the GPGv2 support, as the keychain defaults to the GPGv1.

I see that keychain now has --gpg2 parameter...

If you use exclusively GPGv1 or GPGv2, you can just hardcode it into the snippet and remove the 3rd argument.

I believe there is no need for GPGv1 here any longer, so I can hardcode GPGv2 usage...

@Vintodrimmer

This comment has been minimized.

Copy link
Author

Vintodrimmer commented Feb 18, 2018

@gour I actually run it from the console when/if I need some particular key. I'm too lazy to enter all the passwords for every key at login.

But there are options for that. I think the second post should do that.

@zanchey

This comment has been minimized.

Copy link
Member

zanchey commented Feb 19, 2018

I use something along the lines of this in my .config/fish/config.fish:

if status is-login
    keychain --clear --quiet
end

if test -f ~/.keychain/(hostname)-gpg-fish
    source ~/.keychain/(hostname)-gpg-fish
end

if test -f ~/.keychain/(hostname)-fish
    source ~/.keychain/(hostname)-fish
end
@gour

This comment has been minimized.

Copy link
Contributor

gour commented Feb 19, 2018

What do you think about submitting some more info to the keychain in order to have complete example for fish shell, since it seems that the current snippet:

For the fish shell, use the following format:

        if status --is-interactive
            keychain --eval --quiet -Q id_rsa | source
end

is both incomplete - no gpg(2) agent), as well as incorrect?

@zanchey

This comment has been minimized.

Copy link
Member

zanchey commented Feb 20, 2018

It's not incorrect, but I'll submit them a patch to match the other examples.

@zanchey

This comment has been minimized.

Copy link
Member

zanchey commented Feb 20, 2018

@gour

This comment has been minimized.

Copy link
Contributor

gour commented Mar 5, 2018

@zanchey that does not work for me & gpg2:

$  keychain id_rsa  0123ABCD

 * keychain 2.8.5 ~ http://www.funtoo.org
 * Found existing ssh-agent: 1686
 * Warning: can't find 0123ABCD; skipping
 * Known ssh key: /home/gour/.ssh/id_rsa

Any hint?

@zanchey

This comment has been minimized.

Copy link
Member

zanchey commented Mar 9, 2018

You might have to explicitly specify the use of the GPG agent. The following works for me:

keychain --agents ssh,gpg id_rsa 0xFCA50E480C273BBA
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.