newsboat: Failure to Authenticate using the oldreader-passwordeval option

newsboat 2.14.1 - https://newsboat.org/ Copyright © 2006-2015 Andreas Krennmair Copyright © 2015-2019 Alexander Batischev Copyright © 2006-2017 Newsbeuter contributors Copyright © 2017-2019 Newsboat contributors

Newsboat is free software licensed under the MIT License. (Type `newsboat -vv’ to see the full text.) It bundles JSON for Modern C++ library, licensed under the MIT License: https://github.com/nlohmann/json It bundles an alphanum algorithm implementation licensed under the MIT license: http://www.davekoelle.com/alphanum.html newsboat 2.14.1 System: Linux 4.20.11-1-MANJARO (x86_64) Compiler: g++ 8.2.1 20181127 ncurses: ncurses 6.1.20180127 (compiled with 6.1) libcurl: libcurl/7.64.0 OpenSSL/1.1.1a zlib/1.2.11 libidn2/2.1.1 libpsl/0.20.2 (+libidn2/2.1.1) libssh2/1.8.0 nghttp2/1.36.0 (compiled with 7.64.0) SQLite: 3.27.1 (compiled with 3.26.0) libxml2: compiled with 2.9.9

Steps to reproduce the issue:

Use gpg to encrypt the password in the file oldreader.pw.gpg
Use the option oldreader-passwordeval "gpg -d ~/.config/newsboat/oldreader.pw.gpg" in the config file.
Run Newsboat and receive the message:

Loading URLs from The Old Reader…Authentication failed.

Other info:

When I review the log, I see this:

[2019-02-24 21:25:51] DEBUG: OldReaderApi::authenticate: Auth = newsboat.log

This suggests to me a regression in how authentication with the Old Reader API is handled. The fix has been to use oldreader-password in my conf file again. This is unfortunate as I was trying to avoid having my password in plain text.

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 16 (7 by maintainers)

Commits related to this issue

Let user interact with get_command_output() get_command_output() used to be implemented in terms of popen(), which connects *either* command's stdin or stdout to Newsboat. Our new implementation conn... — committed to newsboat/newsboat by Minoru 5 years ago

Most upvoted comments

I think @Knusper’s issue was caused by the Snap strict confinement configuration. Due to our use of strict confinement, the Newsboat application is not allowed to start executables on the host system (except for a few whitelisted executables like xdg-open and maybe echo).

We already know this is an issue when configuring a browser (FAQ entry) but that does not mention the other places where this limitation can occur (like the ...-passwordeval options).

Somewhat related (explaining why we use strict confinement)

dennisschagt on Dec 29, 2021

Sorry, I already deinstalled the snap and installed it via apt on debian oldatable. The snap was the latest version - in debian oldatable I have 2.13 - but it works fine now.

On Sat, Dec 25, 2021, 14:15 Alexander Batischev @.***> wrote:

@Knusper https://github.com/Knusper, what Newsboat version are you running exactly? Just to make sure we’re on the same page?

Can you run newsboat --log-level=6 --log-file=newsboat.log, grep the log for any confidential info like passwords or domain names, and post the log?

— Reply to this email directly, view it on GitHub https://github.com/newsboat/newsboat/issues/455#issuecomment-1001046710, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABD4RFSQQTRYD3QOYRCHBUDUSX3ZVANCNFSM4GZ3EH5A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

Knusper on Dec 25, 2021

I will clone and compile manually when I have some time off next week.

Had a quick go with the AUR git package but it wouldn’t work—that was just me being lazy though. I need some quality time with git before I can report back properly.

GeorgeHJ on Mar 1, 2019

No, that’s not it.

I was configured to use the pinentry-curses program. It seems that that has started to cause issues as things work fine with the gtk pinentry app. It used to work, but it’s no great hardship to change.

This is starting to all whoosh over my head to be honest. Here’s what I think may have happened:

Having decrypted the file manually, Newsboat was able to eval the password.
Without prior decryption, I was no longer able to access pintentry-curses program through Newsboat. When pinentry-curses failed, so did Newsboat’s attempt to authenticate.

GeorgeHJ on Feb 25, 2019

Thanks for catching that rookie error.

I have a working fix in place. I think it is down to gnupg configuration. Something seems to have changed recently.

I remedied the issue by appending 2>/dev/null. Seems that there has been a change to I/O that broke my previous config. gpg is transmitting credentials to stderr which seems to have been the cause of my problems judging by the fix.

It works now, and I changed my password.

GeorgeHJ on Feb 25, 2019

Sorry, I couldn’t reproduce this. I encrypted my password like this:

$ echo 'password' | gpg -e > oldreader.pw.gpg

(had to enter the recipient name and press Enter to enter an empty line). Then I used a config with this option:

oldreader-passwordeval "gpg -d ~/src/newsboat/oldreader.pw.gpg"

And it worked fine.

I have two suggestions:

double-check that gpg -d does print out the password you want;
replace GPG invocation with echo YOUR_PASSWORD to check if it’s Newsboat’s fault or GPG’s. If it still fails, there is something wrong with Newsboat; if it works, there is something wrong with GPG or how it is invoked.

I also redacted your email and password out of the log you provided. Please be more careful with your credentials. (And no, Newsboat can’t strip your password from the log because it is in a commented line).

Minoru on Feb 25, 2019