Trying to get SSH by GPG working with an OpenPGP smartcard (NitroKey)

madpet · 2019-04-21 13:20:18

Hey, I have a NitroKey Pro, which is essentially just an OpenPGP smartcard like YubiKey.
It has my GPG keys on it which I use at work to authorize myself when ssh'ing into remote servers.

However, I cannot for the life of me get it to work with my home Arch box.

- The card is shown correctly when I do

gpg2 --card-status

- Trying to do

ssh (server)

gives the error message

sign_and_send_pubkey: signing failed: agent refused operation

- However, doing

ssh-add -L

correctly displays the SSH key from the smartcard
- ...and I've made sure that

$SSH_AUTH_SOCK

is the value of

"$(gpgconf --list-dirs agent-ssh-socket)"

which in my case is

/run/user/1000/gnupg/S.gpg-agent.ssh

- My

~/.gnupg/gpg.conf

contains the line

use-agent

- My

~/.gnupg/gpg-agent.conf

contains both the line

pinentry-program /usr/bin/pinentry

(which is installed) and the line

enable-ssh-support

On my iMac I have to do two extra steps whenever I open a new terminal, namely:
1.

echo UPDATESTARTUPTTY | gpg-connect-agent

2.

killall gpg-agent && gpg-agent --daemon --pinentry-program /usr/local/bin/pinentry &

...but they don't seem to work here (even with the correct pinentry path)

What am I missing here? Why is the ssh-agent (which, I reckon, is actually gpg-agent) refusing to cooperate with the actual SSH operation?

madpet · 2019-04-22 12:15:54

I found the solution: I needed to set the correct TTY for pinentry as described here: https://wiki.archlinux.org/index.php/Gn … orrect_TTY

2ManyDogs · 2019-04-22 13:46:57

Please remember to mark your thread [SOLVED] (edit the title of your first post).

madpet · 2019-05-06 14:37:03

2ManyDogs wrote:

Please remember to mark your thread [SOLVED] (edit the title of your first post).

I cannot do that as apparently that would make the title longer than is allowed

Arch Linux