gpg-agent as ssh-agent fails after changing passphrase of ssh keys

RaZorr · 2023-09-06 17:45:40

I had setup gpg-agent as my ssh-agent by following the below instructions from Arch Wiki

This was working well. Every time I use

git push

or

ssh -vT git@github.com

the pinentry from GnuPG would pop-up and everything was fine.

Recently, I changed the passphrase of my ssh-keys using:

ssh-keygen -p -f ~/.ssh/key_name

I verified the password chenaged with

ssh-keygen -y -f ~/.ssh/key_name

But now pinentry from GnuPG doesn't accept the new password.

This is some journalctl output during the interaction:

~$ journalctl --user -u gpg-agent
..SNIP
Sep 06 18:58:26 archsys gpg-agent[1715944]: scdaemon[1715944]: pcsc_establish_context failed: no service (0x8010001d)
Sep 06 18:58:37 archsys gpg-agent[1395]: failed to unprotect the secret key: Bad passphrase
Sep 06 18:58:37 archsys gpg-agent[1395]: failed to read the secret key
Sep 06 18:58:37 archsys gpg-agent[1395]: ssh sign request failed: Bad passphrase <GPG Agent>

Full journalctl info at the end incase I missed something:

Somethings I did to solve the issue but failed:

remove ~/.ssh/known_hosts and ~/.gnupg/sshcontrol
run ssh-add ~/.ssh/key_name again
Install gnome-keyring

[spoiler]

~$ journalctl --user -u gpg-agent
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "adwaita",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "adwaita",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:41:56 archsys pinentry-gtk-2[1719865]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:41:58 archsys gpg-agent[1395]: failed to unprotect the secret key: Operation cancelled
Sep 05 20:41:58 archsys gpg-agent[1395]: failed to read the secret key
Sep 05 20:41:58 archsys gpg-agent[1395]: ssh sign request failed: Operation cancelled <Pinentry>
Sep 05 20:44:18 archsys gpg-agent[1715944]: scdaemon[1715944]: pcsc_establish_context failed: no service (0x8010001d)
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "adwaita",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "adwaita",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:44:18 archsys pinentry-gtk-2[1732370]: Unable to locate theme engine in module_path: "murrine",
Sep 05 20:44:39 archsys gpg-agent[1395]: failed to unprotect the secret key: Operation cancelled
Sep 05 20:44:39 archsys gpg-agent[1395]: failed to read the secret key
Sep 05 20:44:39 archsys gpg-agent[1395]: ssh sign request failed: Operation cancelled <Pinentry>
Sep 05 20:47:31 archsys gpg-agent[1715944]: scdaemon[1715944]: pcsc_establish_context failed: no service (0x8010001d)
Sep 05 21:06:11 archsys gpg-agent[1395]: SIGHUP received - re-reading configuration and flushing cache
Sep 05 21:06:11 archsys gpg-agent[1395]: reading options from '/home/razorr/.gnupg/gpg-agent.conf'
Sep 05 21:06:35 archsys gpg-agent[1715944]: scdaemon[1715944]: pcsc_establish_context failed: no service (0x8010001d)
Sep 05 21:06:50 archsys gpg-agent[1395]: failed to unprotect the secret key: Bad passphrase
Sep 05 21:06:50 archsys gpg-agent[1395]: failed to read the secret key
Sep 05 21:06:50 archsys gpg-agent[1395]: ssh sign request failed: Bad passphrase <GPG Agent>
Sep 06 18:58:26 archsys gpg-agent[1715944]: scdaemon[1715944]: pcsc_establish_context failed: no service (0x8010001d)
Sep 06 18:58:37 archsys gpg-agent[1395]: failed to unprotect the secret key: Bad passphrase
Sep 06 18:58:37 archsys gpg-agent[1395]: failed to read the secret key
Sep 06 18:58:37 archsys gpg-agent[1395]: ssh sign request failed: Bad passphrase <GPG Agent>

[/spoiler]

In the above journal, I think

Sep 05 20:44:39 archsys gpg-agent[1395]: failed to unprotect the secret key: Operation cancelled

happens when I cancel the password entering after the first attempt fails. When I fail all three attempts it shows Bad passphrase msg

Last edited by RaZorr (2023-09-06 17:48:19)

seth · 2023-09-06 19:12:42

Any chance for a layout issue?
Is the new PW QWERTY-safe? Was the old one? What if you change the PW to 12345 ?

RaZorr · 2023-09-06 19:23:55

seth wrote:

Any chance for a layout issue?

I don't think so.

I used

ssh-keygen -y -f ~/.ssh/key_name

to verify that the password has changed and that I am able to type it. However, this asks for password in terminal, not pinentry from gpg.

Something interesting happened.

For the pinentry prompt from gpg, I entered my old password which I had before changing the passphrase for the shh key. And surprisingly it accepted. I think gpg has cached or has copied my ssh-keys which existed before password change?

my gpg.conf and gpg-agent.conf are below:

gpg.conf

use-agent
pinentry-mode loopback

# AES256 as cipher for symmetric ops
s2k-cipher-algo AES256

keyid-format 0xlong

# Keyserver URL
keyserver hkps://keys.openpgp.org
#keyserver hkps://keyserver.ubuntu.com
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver hkps://pgp.ocf.berkeley.edu

gpg-agent.conf

enable-ssh-support
pinentry-program /usr/bin/pinentry-curses
# pinentry-program /usr/bin/pinentry-qt

max-cache-ttl 3600
default-cache-ttl 3600

default-cache-ttl-ssh 3600
max-cache-ttl-ssh 3600

# vim: ft=gpg:

Last edited by RaZorr (2023-09-06 19:24:43)

seth · 2023-09-06 19:46:47

gpg-agent caches the keys, did you reload/restart the agent or reboot after the PW change?

Otherwise, is "~/.ssh/key_name" (which I assume is an obfuscation to begin with?) actually the relevant key file?

ls ~/.ssh

and check the contents of ~/.ssh/config

RaZorr · 2023-09-06 19:59:13

seth wrote:

Otherwise, is "~/.ssh/key_name" (which I assume is an obfuscation to begin with?) actually the relevant key file?

Yes this is for obfuscation purposes

I did reload the agent with

gpg-connect-agent reloadagent /bye

update the agent with

gpg-connect-agent updatestartuptty /bye

rebooted the system

here's the output from

ssh -vT git@github.com

~$ ssh -vT git@github.com
OpenSSH_9.4p1, OpenSSL 3.1.2 1 Aug 2023
debug1: Reading configuration data /home/razorr/.ssh/config
debug1: Executing command: 'gpg-connect-agent UPDATESTARTUPTTY /bye'
debug1: /home/razorr/.ssh/config line 23: Applying options for github.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 2: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: Connecting to github.com [140.82.121.3] port 22.
debug1: Connection established.
debug1: identity file /home/razorr/.ssh/github type 3
debug1: identity file /home/razorr/.ssh/github-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.4
debug1: Remote protocol version 2.0, remote software version babeld-7e018303
debug1: compat_banner: no match: babeld-7e018303
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /home/razorr/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:+*****CENSORED
debug1: load_hostkeys: fopen /home/razorr/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /home/razorr/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/razorr/.ssh/github ED25519 SHA256:*****CENSORED explicit agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/razorr/.ssh/github ED25519 SHA256:*****CENSORED explicit agent
debug1: Server accepts key: /home/razorr/.ssh/github ED25519 SHA256:*****CENSORED explicit agent
sign_and_send_pubkey: signing failed for ED25519 "/home/razorr/.ssh/github" from agent: agent refused operation
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

I hope there's nothing privacy concerning there

Last edited by RaZorr (2023-09-06 20:00:30)

RaZorr · 2023-09-06 20:03:26

I am starting to suspect this is a bug when using gpg-agent as ssh-agent and when one changes the password of an existing ssh-key, that has been used by the gpg-agent, using the command:

ssh-keygen -p -f ~/.ssh/filenam

RaZorr · 2023-09-06 20:08:27

Also, i had the following in my ~/.ssh/config

AddKeysToAgent	ask
Match host * exec "gpg-connect-agent UPDATESTARTUPTTY /bye"

# User0 Account Identity
Host github.com
  Hostname github.com
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/github

# User1 Account Identity
Host gitlab.com
  Hostname gitlab.com
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/gitlab

Did that

AddKeysToAgent	ask

cause this issue?

Last edited by RaZorr (2023-09-06 20:31:37)

seth · 2023-09-06 20:17:27

sign_and_send_pubkey: signing failed for ED25519 "/home/razorr/.ssh/github" from agent: agent refused operation

is often because of an unsecure file/path.

ls -la /home/razorr/.ssh/

Edit: the log references "/home/razorr/.ssh/github" but your config has "/home/razorr/.ssh/githubA"?

Edit #2:
b/c of AddKeysToAgent, is that a new setting?

echo $SSH_ASKPASS

Last edited by seth (2023-09-06 20:29:43)

RaZorr · 2023-09-06 20:30:56

seth wrote:

Edit: the log references "/home/razorr/.ssh/github" but your config has "/home/razorr/.ssh/githubA"?

The actual key is githubR in the log. I changed it to just github for privacy but was probably stupid. I will make it consistent with everything else

Also this

stat --format '%a %n' ~/.ssh/*
777 /home/razorr/.ssh/config
600 /home/razorr/.ssh/githubA
644 /home/razorr/.ssh/githubA.pub
600 /home/razorr/.ssh/githubR   # <------- This is the one I've posted in my earlier comments as githubR
644 /home/razorr/.ssh/githubR.pub
600 /home/razorr/.ssh/gitlabR
644 /home/razorr/.ssh/gitlabR.pub
600 /home/razorr/.ssh/gitlabS
644 /home/razorr/.ssh/gitlabS.pub
644 /home/razorr/.ssh/known_hosts
600 /home/razorr/.ssh/known_hosts_bak
644 /home/razorr/.ssh/known_hosts.old

Last edited by RaZorr (2023-09-06 20:32:57)

RaZorr · 2023-09-06 20:33:49

echo $SSH_ASKPASS

return nothing

seth · 2023-09-06 20:34:26

Iirc the directory permissions are relevant, too (should be 700) and known_hosts should be 600

Edit:
https://man.archlinux.org/man/core/open … eysToAgent

If this option is set to ask, ssh(1) will require confirmation using the SSH_ASKPASS program before adding a key (see ssh-add(1) for details).

Last edited by seth (2023-09-06 20:36:09)

RaZorr · 2023-09-06 20:38:45

Changed all the permissions but nothing changed.

I have

echo $SSH_ASKPASS

is that a problem.

Like I said in the opening post, everything was working properly until I changed the password of the ssh keys with

ssh-keygen -p -f ~/.ssh/key_name

Last edited by RaZorr (2023-09-06 20:51:44)

seth · 2023-09-06 20:46:01

"hey_nam"…

Since you rebooted the system all transient caches etc. should be gone.
Is the old password still accepted?
In that case, pay very close attention to the actual filenames, you most likely operated on the wrong file.
You might also just move away the keys you changed and see how that impacts the behavior/errors.

RaZorr · 2023-09-06 20:54:11

seth wrote:

"hey_nam"…

XD XD Corrected it.

I am sure the key names are correct. I had used this exact setup for years and just last week changed the passphrase and whole hell broke loose.

The old password is still working so I strongly believe gpg is using the old version of the key it stored somewhere but I don't know where. I am suspicious of that

 AddKeystoAgent yes

option

seth · 2023-09-06 21:08:39

"AddKeystoAgent yes" used to be "ask"?

gpg-connect-agent 'keyinfo --ssh-list' /bye | awk '{print $3}'

Edit: https://unix.stackexchange.com/question … he-keyring
Seems to have been an issue in the past

Last edited by seth (2023-09-06 21:10:06)

RaZorr · 2023-09-06 21:43:11

OMG seth you saved me.

In that link you posted this comment lead me to the answer

I deleted the file in /home/razorr/.gnupg/private-keys-v1.d that had the name from the output of

gpg-connect-agent 'keyinfo --ssh-list' /bye | awk '{print $3}'

Apparently, gpg was copying the key to that folder and saving there .
Now, everything back to normal.

You sir have mastered the art of googling because I had probably 20 tabs with different issues and solutions this week and only the link you gave had the solution

RaZorr · 2023-09-06 21:48:13

Final question, I cannot mark the thread as [SOLVED] without deleting some of the characters in the title because of some character limit. Should I delete and mark as [SOLVED}?

Arch Linux

#1 2023-09-06 17:45:40

gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#2 2023-09-06 19:12:42

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#3 2023-09-06 19:23:55

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#4 2023-09-06 19:46:47

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#5 2023-09-06 19:59:13

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#6 2023-09-06 20:03:26

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#7 2023-09-06 20:08:27

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#8 2023-09-06 20:17:27

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#9 2023-09-06 20:30:56

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#10 2023-09-06 20:33:49

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#11 2023-09-06 20:34:26

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#12 2023-09-06 20:38:45

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#13 2023-09-06 20:46:01

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#14 2023-09-06 20:54:11

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#15 2023-09-06 21:08:39

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#16 2023-09-06 21:43:11

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

#17 2023-09-06 21:48:13

Re: gpg-agent as ssh-agent fails after changing passphrase of ssh keys

Board footer