Arch Linux

girzel

Member

Registered: 2010-06-27

Posts: 74

gpg-agent with --enable-ssh-support, and no socket

I've been using gpg-agent with ssh support enabled for a while, and it has worked okay. I always needed to remember to get the agent started before I began tmux, so the env variables propagated properly, but other than that it worked okay.

A couple of months ago (I've let this go for a while), the ssh support stopped working: the gpg-agent stopped creating the socket ~/.gnupg/S.gpg-agent.ssh. This happened simultaneously on two machines, so I'm pretty sure it's a package update issue.

I started looking into it a few days ago, and realized that these sockets exist:

ls /run/user/1000/gnupg
srwx------ 1 eric eric 0 Aug 16 14:07 S.gpg-agent
srwx------ 1 eric eric 0 Aug 16 14:07 S.gpg-agent.ssh

I tried setting SSH_AUTH_SOCKET to the second of those files, but trying to use the ssh support gave me: "sign_and_send_pubkey: signing failed: agent refused operation"

I've looked through everywhere in the logs I could think of, but there are no hints as to why this is happening. systemctl status gpg-agent shows me nothing fishy, and nothing bad happens until a ssh process actually tries to talk to the agent through the socket.

I have no desktop environment, I use i3 and X. I start gpg-agent with a systemd file: ~/.config/systemd/user/gpg-agent.service:

[Unit]
Description=GnuPG private key agent
IgnoreOnIsolate=true

[Service]
Type=forking
ExecStart=/usr/bin/gpg-agent --daemon --enable-ssh-support
ExecStop=/usr/bin/pkill gpg-agent
Restart=on-abort

[Install]
WantedBy=default.target

My ~/.gnupg/gpg-agent.conf:

enable-ssh-support
allow-loopback-pinentry

default-cache-ttl 10800
default-cache-ttl-ssh 10800

#pinentry-program /usr/bin/pinentry-curses
pinentry-program /usr/bin/pinentry-qt
#pinentry-program /usr/bin/pinentry-kwallet
#pinentry-program /usr/bin/pinentry-gtk-2

ps aux | grep agent
eric      4309  0.0  0.0 250024  3084 ?        Ss   14:07   0:00 /usr/bin/gpg-agent --daemon --enable-ssh-support

Does anyone have any hints as to why the agent would stop creating a socket in ~/.gnupg/ ?

Thanks!

Scimmia

Fellow

Registered: 2012-09-01

Posts: 11,544

Re: gpg-agent with --enable-ssh-support, and no socket

Does anyone have any hints as to why the agent would stop creating a socket in ~/.gnupg/ ?

This was an upstream change.

girzel

Member

Registered: 2010-06-27

Posts: 74

Re: gpg-agent with --enable-ssh-support, and no socket

Thanks for the swift reply!

I had assumed it was an upstream change, as it seemed so clearly caused by a package update. Embarrassingly, I only just realized that the wiki has already been updated accordingly.

That doesn't change the failure when using /run/user/$UID/gnupg/S.gpg-agent.ssh as the socket, however. I switched to the ~/.pam_environment method mentioned on the wiki, which sets SSH_AUTH_SOCK correctly, but any use of ssh still gives me:

sign_and_send_pubkey: signing failed: agent refused operation

ssh-add -l shows me my key. What else might be going wrong?

Bitwhip

Member

Registered: 2016-08-17

Posts: 1

Re: gpg-agent with --enable-ssh-support, and no socket

I have the same issue when following the Gnupg installation on the wiki site. When reading about the ssh-add -l is it so that the key should append to the .gnupg/sshcontrol file when running ssh-add command?

girzel

Member

Registered: 2010-06-27

Posts: 74

Re: gpg-agent with --enable-ssh-support, and no socket

Okay, I'm getting there.

It looks like gpg-agent started via the systemctl can't get the tty correctly. I turned on verbose logging and saw this:

failed to unprotect the secret key: Inappropriate ioctl for device
failed to read the secret key
ssh sign request failed: Inappropriate ioctl for device <Pinentry>

Googling led me here. The solution there was to run this in the shell:

echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2&>1

Which works when done manually. It's also possible that doing this would work as well:

export GPG_TTY=$(tty)

But I didn't actually try that.

Is there a way to get that into the systemctl profile? Or just should I just be adding that to ~/.bashrc? Or maybe the profile should be running "gpg-connect-agent /bye" instead of gpg-agent in the first place...

Thanks,
Eric

serxxx

Member

Registered: 2017-04-02

Posts: 9

Re: gpg-agent with --enable-ssh-support, and no socket

Hi,

Same problem here, although the tty fix doesn't help me.  I came across this a week or so ago and then forgot about this thread today and started a new one.  My bad, although your problem doesn't look like mine since your fix doesn't work for me.

girzel

Member

Registered: 2010-06-27

Posts: 74

Re: gpg-agent with --enable-ssh-support, and no socket

That does sound like a different problem.

Your reply prompted me to revisit the vanilla instructions on the wiki (perhaps they've been edited in the past year or two?), and I've now gotten it working fine with the ~/.pam_environment solution noted there. Finally! One of my longstanding annoyances with my local environment, solved at last.