Request for review: keychain opt-in mechanism

Alexander Dalloz alex at dalloz.de
Fri Jul 22 18:48:15 UTC 2005 

Am Fr, den 22.07.2005 schrieb Chris Grau um 19:12:

Chris,

thank you much for taking the time and writing this helpful feedback
message!

> I played around with your opt-in scripts a bit.  They worked quite well
> and were very unobtrusive in an ordinary terminal.  When using Gnome,
> keychain appears to have launched a separate ssh-agent process.  This
> may or may not be a good thing.  It would allow me to use one set of
> keys for my day-to-day tasks and another for cron jobs.  However, I'm
> not sure that's the intention and I'm probably just turning a bug into a
> feature.

There should be only 1 ssh-agent process per user: if an ssh-agent is
already running keychain will only add keys to that one based on it's
call; if none is running for the user keychain starts an ssh-agent. That
is at least what the documentation says and how I observe it here on my
workstation.

I got another reply, Ralf Corsepius wrote me personally and said, if the
keychain.sh would be stripped down to pure "sh" (bourne shell) syntax
the script could be made simply by omitting the differing between bash,
zsh, sh and ksh. That is true and to remove the "case" selection in the
keychain.csh script would be possible too. If focus should be to have
the most easy script solution, then I will follow that suggestion. My
script proposals differ between shells by using "case" to be in a way
close to the keychain(1) manpage. I am open for votings.

> In keychain.sh:
>   - The introductory comment refers to the script as keychain.csh.

Corrected. A copy mistake.

>   - You quote the arguments to keychain on line 15.  This means that if
>     I set KCHOPTS="--nogui --quiet" in ~/.keychainrc, keychain is passed
>     the single argument "--nogui --quiet" and doesn't know what to do
>     with it.  The same is true for SSHKEYS and GPGKEYS.

Doh! That is of course a bad mistake - corrected as well.

>   - You use both "source" and "." to source files.  I don't know if this
>     was deliberate or not.  I don't know if sh/bash/etc. differ in their
>     support.

I am neither the shell god I should have to be to answer that question
without any doubt. At least I would say that "." is more basic so that
the Bourne Shell (sh) knows that, while "source" is what the
Bourne-again Shell (bash) offers. The bash is though capable of the "."
syntax. To be frank, I followed the examples "man 1 keychain" contains
for the different shells.

> It's been a while since I've coded with csh, but the script looks
> correct.  It worked in the tests I ran with csh.

Fine.

> In the readme file, at one point you spell Fedora as Fedore.  Other than
> that, I didn't notice any errors and it was very informative about how I
> should use your scripts.  Made testing easy.

Corrected that typo. You had a close reading, thanks :)

> I noticed that, if I skip entering pass phrases for the ssh keys,
> keychain gives up and doesn't prompt for gpg pass phrases.  That's a
> keychain issue, though, rather than a problem with your scripts.

I have no gpg-agent (gnupg2) on my old FC2. If I abort one SSH key I am
still asked for password entry for another one. I would expect that
behaviour too for GPG keys. After testing my own later I am willing to
mail the keychain author.

> That's all I have for now.  I hope it's helpful.  I think keychain is a
> wonderful program.  It has replaced my own script for doing more or less
> the same thing.  I'm glad you're packaging it for Extras.

Absolutely helpful. And I am glad that once keychain is in Extras it has
a fan :)

> -chris

My invitation is still there for especially Chip Turner to comment on my
scripting style, and Paul Howarth too, whether things are simple enough
now - with respect to what Ralf answered me for simplifying the profile
scripts by not distinguishing between shell types inside
keychain.{sh,csh}. Bourne Shell types and C Shell types must be differed
anyway. Ville Skyttä may have a good advise too.

Alexander


-- 
 
1024D/866ED681 2005-07-11 Alexander Dalloz (Fedora Project) <alex at dalloz.de>
Key fingerprint = CD40 0A91 7814 C1E4 5940  8E0E 1FD5 C316 866E D681

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20050722/019fe973/attachment.sig>

More information about the fedora-extras-list mailing list