Request for review: keychain opt-in mechanism

Fri Jul 22 17:12:12 UTC 2005

On Fri, Jul 22, 2005 at 02:17:34PM +0200, Alexander Dalloz wrote:
> Am Mi, den 20.07.2005 schrieb Alexander Dalloz um 18:46:
> 
> > http://www.uni-x.org/README.Fedora
> 
> > http://www.uni-x.org/keychain.sh
> > http://www.uni-x.org/keychain.csh
> 
> > My suggestion now should work with bash, sh, csh, tcsh and zsh. With
> > those I tested myself and didn't found a problem. So far I didn't test
> > with ksh (KornShell) available through Core.
> > 
> > Alexander
> 
> Unfortunately nobody replied so far and my access_log only shows one
> single access to keychain.sh. So I have to speak to myself and add this
> small comment:
> I meanwhile installed the FC4 ksh rpm and tested my profile scripting
> with a user whose shell was set to /bin/ksh - it works with that shell
> type too. That generally probably was to be expected, as "KornShell
> [...] is upward compatible with "sh" (the Bourne Shell)." (cite from ksh
> rpm %description). I added "ksh" in the keychain.sh in the case routine
> and inside the README.Fedora document.
> 
> I still encourage everybody with some interest in the keychain package
> and small spare time to review my profile scripting proposal :)
> 
> Thanks for attention.
> 
> Alexander

I played around with your opt-in scripts a bit.  They worked quite well
and were very unobtrusive in an ordinary terminal.  When using Gnome,
keychain appears to have launched a separate ssh-agent process.  This
may or may not be a good thing.  It would allow me to use one set of
keys for my day-to-day tasks and another for cron jobs.  However, I'm
not sure that's the intention and I'm probably just turning a bug into a
feature.

In keychain.sh:
  - The introductory comment refers to the script as keychain.csh.
  - You quote the arguments to keychain on line 15.  This means that if
    I set KCHOPTS="--nogui --quiet" in ~/.keychainrc, keychain is passed
    the single argument "--nogui --quiet" and doesn't know what to do
    with it.  The same is true for SSHKEYS and GPGKEYS.
  - You use both "source" and "." to source files.  I don't know if this
    was deliberate or not.  I don't know if sh/bash/etc. differ in their
    support.

It's been a while since I've coded with csh, but the script looks
correct.  It worked in the tests I ran with csh.

In the readme file, at one point you spell Fedora as Fedore.  Other than
that, I didn't notice any errors and it was very informative about how I
should use your scripts.  Made testing easy.

I noticed that, if I skip entering pass phrases for the ssh keys,
keychain gives up and doesn't prompt for gpg pass phrases.  That's a
keychain issue, though, rather than a problem with your scripts.

That's all I have for now.  I hope it's helpful.  I think keychain is a
wonderful program.  It has replaced my own script for doing more or less
the same thing.  I'm glad you're packaging it for Extras.

-chris