You are not logged in.
Pages: 1
Hi,
A number of people have had issues with gpg-agent and ssh support over the years; nothing I've found through Google has helped, and I'm hoping I'll get a tip here.
I've been using gpg-agent and ssh together for a couple of years at least under Ubuntu. A month or so ago I switched to Arch and this is one of the few remaining issues I've been unable to resolve. The behavior is, basically, that ssh isn't getting keys from gpg-agent.
Linux sting 4.10.6-1-ARCH #1 SMP PREEMPT Mon Mar 27 08:28:22 CEST 2017 x86_64 GNU/Linux
Name : openssh
Version : 7.4p1-2
Name : gnupg
Version : 2.1.19-1
The behavior I see is:
ssh-add works to add keys. I remove the keys from .gnupg/private-keys-v1.d/ and add them back with ssh-add and the keys show up in .gnupg/private-keys-v1.d/ as expected.
ssh-add -l (and -L) both fail with:
error fetching identities for protocol 2: agent refused operation
The agent has no identities.
ssh host prompts for the key password, indicating a failure to fetch from the agent. -vvv reports
debug1: pubkey_prepare: ssh_fetch_identitylist: agent refused operation
Enabling debugging in gpg-agent (guru) and using
watchgnupg
shows, for all "refused operation" messages:
4 - 2017-04-08 08:35:47 gpg-agent[2668]: ssh handler 0x7f9b5bfff700 for fd 8 started
4 - 2017-04-08 08:35:47 gpg-agent[2668]: ssh request handler for request_identities (11) started
4 - 2017-04-08 08:35:47 gpg-agent[2668]: ssh request handler for request_identities (11) ready
4 - 2017-04-08 08:35:47 gpg-agent[2668]: ssh handler 0x7f9b5bfff700 for fd 8 terminated
I'm pretty stuck and don't know where next to turn. Any suggestions?
Edit: This post didn't help; I did try the TTY suggestion from there a week ago but forgot about it in the meantime. I should have replied to that instead of starting a new thread, though -- mea culpa.
Thanks in advance.
Last edited by serxxx (2017-04-08 12:46:43)
Offline
Ok, a different question then: does _anyone_ have this working? ssh with gpg-agent, not with ssh-agent?
Offline
Hi, I got it working today, after a few hours of research (during which I saw that post). I am using gpg-agent with a key stored in a yubico stick (like your regular pgp smartcard).
I did not put much thought into it, but I think it would be good to document it somewhere.
1. I exported my ssh public key from my gpg key with
gpg --export-ssh-key KEYIDENT
KEYIDENT is the last 8 hex digits from your Authentication key in gpg --card-status (or gpg --list-keys for that matter)
This is just a preliminary step, but what good are the others, if we don't have this?
2. Then, I followed the guide at https://wiki.archlinux.org/index.php/GnuPG#SSH_agent
That is, add "enable-ssh-support" in "~/.gnupg/gpg-agent.conf", and then add the necessary environment variables, as well as making sure that gpg-agent is started.
I put the following in my .zshrc, but it could also be part of the .profile, I guess:
# Start the gpg-agent if not already running
if ! pgrep -x -u "${USER}" gpg-agent >/dev/null 2>&1; then
gpg-connect-agent /bye >/dev/null 2>&1
fi
# Set SSH to use gpg-agent
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
fi
# Set GPG TTY
export GPG_TTY=$(tty)
# Refresh gpg-agent tty in case user switches into an X session
gpg-connect-agent updatestartuptty /bye >/dev/null
Then I restarted zsh, and it just worked!
If you are not using a smartcard, you will probably have to use ssh-ad on your keyfiles as well.
Enjoy! I hope you will get it working!
Last edited by MayeulC (2017-05-17 20:11:28)
Offline
Pages: 1