Can you use pass as/with system keyring?

Sun Oct 15 08:26:34 UTC 2023

Hi again,

thanks for all the replies, this was more helpful input than I expected!
For who may be interested, here's what happened.

I gave all of the options a look and decided to go with the approach Matt suggested,
since it is simple and the inter-component dependencies are easy enough for me to understand.

I have seen that both the secret-service integrations are not very actively maintained (that is not to say that they may
not work perfectly of course) and a short sanity-check found that there are open Intellij bugs about people using this
getting timeouts.

Then there's the problem of how/when to cache the gpg-key with gpg-agent. I tried https://github.com/cruegge/pam-gnupg,
but could not get it to work after following the instructions and it does not seem to be actively maintained either
(multiple issues about the same problem). Having the same password for the gpg key and the user is also problematic,
since the one for the gpg key is pretty long and would need to be typed for every sudo invocation.

Another problem is of course using my user's gpg key as root; gpg-agent stores those on a per-session basis so I would
need to enter the gpg key's password at least once as root, even if it's already cached for my normal user.

Thus I kept it simple and postponed starting wpa_supplicant until after login and call a `go-online` script manually
once, which writes the wpa_supplicant config to a temporary file and deletes it after it is no longer needed:

#!/usr/bin/env bash

INTERFACE="wlp0s20f3"
CONF_FILE="wpa_supplicant-$INTERFACE.conf"
CONF_DIR="/etc/wpa_supplicant"
SERVICE="wpa_supplicant@$INTERFACE.service"

function cleanup() {
    sudo rm -f "$CONF_DIR/$CONF_FILE"
}
trap cleanup EXIT INT TERM

if [[ $UID -eq 0 ]]; then
    echo "This must be run as normal user!"
    exit 1
fi

pass show WiFi/wpa_supplicant > "$CONF_FILE"
sudo mv "$CONF_FILE" "$CONF_DIR/$CONF_FILE"
sudo systemctl start "$SERVICE"
sudo ip link set "$INTERFACE" up
while lsof -t "$CONF_DIR/$CONF_FILE" && inotifywait -q -e CLOSE "$CONF_DIR/$CONF_FILE"; do
    # If the file is still open, wait for it to be closed before deleting it.
    continue
done

Which works reasonably well for now, apart from the fact that I have to manually call it and maybe enter up to two
passwords.

Maybe I will still give the secret-service thing a try another time though.

Best Regards,
Max

On Mon, Oct 09, 2023 at 09:31:11AM -0400, Matt Connell wrote:
> On Sun, 2023-10-08 at 14:10 +0200, Maximilian Winkler wrote:
> >     1. Avoid storing plaintext passphrases/keys in wpa_supplicant.conf
> 
> I use pass for some VPN setups wherein I use a wrapper script to, in
> order:
> 
> 1. assemble a configuration file, based on a template, with contents
> retrieved from pass
> 2. start the service
> 3. erase the file
> 
> openforticlient and openvpn both tolerate having their configuration
> file yoinked while running.  I can't speak for wpa_supplicant, and it
> doesn't cover your other use case, but it might be worth a try.