You are not logged in.

#1 2017-04-08 12:41:04

serxxx
Member
Registered: 2017-04-02
Posts: 9

gpg-agent and ssh

Hi,

A number of people have had issues with gpg-agent and ssh support over the years; nothing I've found through Google has helped, and I'm hoping I'll get a tip here.

I've been using gpg-agent and ssh together for a couple of years at least under Ubuntu.  A month or so ago I switched to Arch and this is one of the few remaining issues I've been unable to resolve.  The behavior is, basically, that ssh isn't getting keys from gpg-agent.

   Linux sting 4.10.6-1-ARCH #1 SMP PREEMPT Mon Mar 27 08:28:22 CEST 2017 x86_64 GNU/Linux
   Name            : openssh
   Version         : 7.4p1-2
   Name            : gnupg
   Version         : 2.1.19-1

The behavior I see is:

  1. ssh-add works to add keys. I remove the keys from .gnupg/private-keys-v1.d/ and add them back with ssh-add and the keys show up in .gnupg/private-keys-v1.d/ as expected.

  2. ssh-add -l (and -L) both fail with:

       error fetching identities for protocol 2: agent refused operation
       The agent has no identities.
  3. ssh host prompts for the key password, indicating a failure to fetch from the agent.  -vvv reports

       debug1: pubkey_prepare: ssh_fetch_identitylist: agent refused operation
  4. Enabling debugging in gpg-agent (guru) and using

    watchgnupg

    shows, for all "refused operation" messages:

        4 - 2017-04-08 08:35:47 gpg-agent[2668]: ssh handler 0x7f9b5bfff700 for fd 8 started
        4 - 2017-04-08 08:35:47 gpg-agent[2668]: ssh request handler for request_identities (11) started
        4 - 2017-04-08 08:35:47 gpg-agent[2668]: ssh request handler for request_identities (11) ready
        4 - 2017-04-08 08:35:47 gpg-agent[2668]: ssh handler 0x7f9b5bfff700 for fd 8 terminated

I'm pretty stuck and don't know where next to turn.  Any suggestions?

Edit: This post didn't help; I did try the TTY suggestion from there a week ago but forgot about it in the meantime.  I should have replied to that instead of starting a new thread, though -- mea culpa.

Thanks in advance.

Last edited by serxxx (2017-04-08 12:46:43)

Offline

#2 2017-05-06 21:50:45

serxxx
Member
Registered: 2017-04-02
Posts: 9

Re: gpg-agent and ssh

Ok, a different question then: does _anyone_ have this working?  ssh with gpg-agent, not with ssh-agent?

Offline

#3 2017-05-17 20:10:56

MayeulC
Member
Registered: 2017-05-17
Posts: 1

Re: gpg-agent and ssh

Hi, I got it working today, after a few hours of research (during which I saw that post). I am using gpg-agent with a key stored in a yubico stick (like your regular pgp smartcard).

I did not put much thought into it, but I think it would be good to document it somewhere.

1. I exported my ssh public key from my gpg key with

gpg --export-ssh-key  KEYIDENT

KEYIDENT is the last 8 hex digits from your Authentication key in gpg --card-status (or gpg --list-keys for that matter)
This is just a preliminary step, but what good are the others, if we don't have this?

2. Then, I followed the guide at https://wiki.archlinux.org/index.php/GnuPG#SSH_agent
That is, add "enable-ssh-support" in "~/.gnupg/gpg-agent.conf", and then add the necessary environment variables, as well as making sure that gpg-agent is started.
I put the following in my .zshrc, but it could also be part of the .profile, I guess:

# Start the gpg-agent if not already running
if ! pgrep -x -u "${USER}" gpg-agent >/dev/null 2>&1; then
  gpg-connect-agent /bye >/dev/null 2>&1
fi

# Set SSH to use gpg-agent
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
  export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
fi

# Set GPG TTY
export GPG_TTY=$(tty)

# Refresh gpg-agent tty in case user switches into an X session
gpg-connect-agent updatestartuptty /bye >/dev/null

Then I restarted zsh, and it just worked!

If you are not using a smartcard, you will probably have to use ssh-ad on your keyfiles as well.

Enjoy! I hope you will get it working!

Last edited by MayeulC (2017-05-17 20:11:28)

Offline

Board footer

Powered by FluxBB