Can't enter passphrase in su session.
Steven W. Orr
steveo at syslang.net
Thu May 21 00:31:23 CEST 2009
On Wednesday, May 20th 2009 at 15:00 -0000, quoth mike _:
=>I have an account, bob, on a machine that is used for building rpms
=>and then creating and signing a repository.
=>
=>If I log in to the machine as bob via ssh and run
=>
=>$ gpg -a --detach-sign somedir/repodata/repomd.xml
=>
=>then all is well.
=>
=>As the bob account will be used by multiple people I want to block ssh
=>logins for bob and have people log in via ssh with their own account
=>and use 'su -' to become the user. This then leaves a trail in the log
=>of who became bob when. But, if I log in to the machine as myself,
=>then do
=>
=>$ su - bob
=>
=>Then run
=>
=>$ gpg -a --detach-sign somedir/repodata/repomd.xml
=>
=>I get
=>
=>gpg: using PGP trust model
=>gpg: key B97DE878: accepted as trusted key
=>
=>You need a passphrase to unlock the secret key for
=>user: "Bob"
=>4096-bit RSA key, ID B97DE878, created 2009-05-19
=>
=>can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory
=>gpg: no running gpg-agent - starting one
=>gpg-agent[29808]: command get_passphrase failed: Operation cancelled
=>gpg: cancelled by user
=>gpg: no default secret key: General error
=>gpg: signing failed: General error
=>
=>I'm never given a chance to enter the passphrase, gpg just declares
=>failure and tells me I canceled the operation. Which I didn't.
=>
=>I've compared the output of 'env' for both an ssh login session and
=>'su -' session and apart from a few variables relating to ssh, they're
=>the same.
=>
=>There must be something different about the sessions that explains why
=>I'm never given a chance to enter the passphrase in the 'su -'
=>session, but I'm at a loss as to what.
=>
=>I did try searching the mailing lists and Google, but 'su' results in
=>an huge amount of (at least seemingly) irrelevant hits, so I gave up
=>fairly quickly!
=>
=>Can anyone offer any insight in this issue?
I'm going to take a stab at this one. If I'm wrong then I expect to be
suitibly chastised.
It seems like you need to read the man page on gpg-agent to make sure that
whether you log in directly, via su or via ssh, that the GPG_AGENT_INFO
variable be properly set. If you log in via X then you probably have the
variable set as part of your session. su will prevent that env var from
being passed through by default. That is configurable by using -m or by
using sudo instead of su and suitably configuring your sudoers file. Also,
ssh can be configured to set the variable, but you probably jujst want to
do it in your .bash_profile dependant on how DISPLAY is set.
--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
More information about the Gnupg-users
mailing list