gpg-agent with systemd

aytekinar · 2015-04-06 16:50:18

Hey!

I am a novice Arch user and I am having problems with the latest gpg distribution when used with systemd and ssh-support. Currently, I am using i3 with lightdm, and I am using systemd to start gpg-agent with ssh support. Specifically, I have the following gpg-agent.service file in my ${HOME}/.config/systemd/user/ directory:

[Unit]
Description=gpg-agent Daemon with SSH Support

[Service]
Type=forking
ExecStart=/usr/bin/gpg-agent --quiet --daemon --enable-ssh-support
Restart=on-success

[Install]
WantedBy=default.target

which is expected to restart when exited properly and/or due to a signal. When I enable and start the service with systemctl --user prefix, it works as it is supposed to be. I have the following gpg-agent.conf file:

default-cache-ttl       600
default-cache-ttl-ssh   3600
max-cache-ttl           7200
max-cache-ttl-ssh       7200
enforce-passphrase-constraints
min-passphrase-len      10
min-passphrase-nonalpha 4
max-passphrase-days     180
pinentry-program        /usr/bin/pinentry-curses

and the following excerpt in my .zshrc:

# GPG configuration
# Check for the gpg-agent socket, and set SSH_AUTH_SOCK and GPG_TTY
# environment variables accordingly:
if [[ -S "${HOME}/.gnupg/S.gpg-agent.ssh" ]]; then
    export GPG_TTY=$(tty)
    if [[ ${SSH_AUTH_SOCK} != "${HOME}/.gnupg/S.gpg-agent.ssh" ]]; then
        export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
    fi
fi

The problem is, everything is working properly except for one thing: "When I want to ssh to my server, I get an 'Agent admitted failure to sign using the key' error." I mean, the environment variables seem to be fine when I fire up a zsh session (terminal emulator) and/or everything seems ok when I issue systemctl --user status gpg-agent, but I cannot ssh to my server using my gpg-key. However, when I stop the systemd unit and just issue eval $(gpg-agent --quiet --daemon --enable-ssh-support) in a new terminal emulator, ssh works fine. In both of the aforementioned versions, when I issue gpg --clearsign some_file.txt command, I am asked in the terminal emulator for my password (I suppose in the so called curses pinentry program).

I thank you in advance for your time, and appreciate any suggestions. Best,

Meskarune · 2015-04-16 18:58:02

You might need to make a script to start it. Like "/usr/local/bin/gpg-agent-daemon.zsh"

then in that file have:

#!/usr/bin/zsh
gpg-agent --quiet --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info"

And do chmod +x

And in your gpg-agent.service file:

[Service]
Type=forking
ExecStart=gpg-agent-daemon.zsh
<...>

And then in $ZDOTDIR/.zprofile

# GPG configuration
# Check for the gpg-agent socket, and set SSH_AUTH_SOCK and GPG_TTY
# environment variables accordingly:
if [[ -S "${HOME}/.gnupg/S.gpg-agent.ssh" ]]; then
    export GPG_TTY=$(tty)
    export GPG_TTY
    if [[ ${SSH_AUTH_SOCK} != "${HOME}/.gnupg/S.gpg-agent.ssh" ]]; then
        export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
    fi
    if [ -f "${HOME}/.gpg-agent-info" ]; then
        . "${HOME}/.gpg-agent-info"
        export GPG_AGENT_INFO
    fi
fi

aytekinar · 2015-04-16 19:24:53

Hey Meskarune,

Thanks for your suggesstions! But, isn't your suggesstion the same as mine, except for the --write-env-file switch? According to the manual (on the maintainer's website), that switch is used to save the output of the command to a file. Moreover, in my up-to-date arch setting, that switch does NOT do anything. I cannot find the switch in man gpg-agent, either? Is it deprecated?

Arch Linux

#1 2015-04-06 16:50:18

gpg-agent with systemd

#2 2015-04-16 18:58:02

Re: gpg-agent with systemd

#3 2015-04-16 19:24:53

Re: gpg-agent with systemd

Board footer