gpg-agent/ssh-add asking for passphrase at first usage

Axel Thimm Axel.Thimm at
Mon Mar 31 02:46:21 CEST 2008


some years ago I did create a nice "gpg-agent --enable-ssh-support"
setup that would register ssh keys with the agent, but the agent would
only ask for the passphrase when ssh would try a connection.

Now I upgraded my system and this doesn't work anymore. Unfortunately
I didn't document how I had set it up and I can't even find a hint in
the gnupg docs. :(

Fortunately I have a backup of the old system where I can at least
phenomenically investigate it:

a) The old system was a Fedora system where I had replaced
   /usr/bin/ssh-agent with a script:

#! /bin/sh
exec /usr/bin/gpg-agent \
  --enable-ssh-support \
  --daemon \
  --write-env-file ${HOME}/.gpg-agent-info \

b) When logging into X11 Fedora would call this script wrapped around
   gnome-session. Once in a console `ssh-add -l' shows that the key has
   already been registered (but no passphrase has been asked yet):

$ ssh-add -l
1024 95:50:9c:02:fc:71:d6:fb:0c:f6:02:d1:fc:dc:7e:3f .xxx/id_dsa (DSA)

c) When an ssh connection is run gpg-agent would be contacted which in
   turn would fire up the pinentry-program to get the passphrase,
   which would then only be asked again after the default/max ttls
   would expire.

Now my questions are:
- *how* did I set this up to have the key registered, but have the
  passphrase asked only once it's needed? There is no ssh-add option
  for a delayed passphrase checking.
- *where* did I set this up? I couldn't find anything in the gnome
  startup that would even call ssh-add. How did gpg-agent know about
  the location/fingerprint of my key?
- *why* did it break with the update? The old system has gnupg 2.0.8
  and the new one 2.0.9. But the Changelog doesn't indicate anything
  that would make these two behave differently.

Axel.Thimm at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20080331/08fc4750/attachment.pgp>

More information about the Gnupg-users mailing list