Can't enter passphrase in su session.

Thu May 21 12:39:21 CEST 2009

2009/5/20 Chris Babcock <cbabcock at kolonelpanic.com>:
>
> In .bash_profile, you will have something *like* this:
> if test -f $HOME/.gpg-agent-info &&    kill -0 `cut -d: -f 2
> [cut]

Nothing like that

bob at foo:~> grep -ir gpg-agent /etc/bash* 2>/dev/null
bob at foo:~> grep -ir gpg-agent /etc/profile* 2>/dev/null
bob at foo:~>

Nothing in ~/.bash* or ~/.profile*  either.

2009/5/20 Steven W. Orr <steveo at syslang.net>:
>
> If you log in via X

I don't. Never have. The machine doesn't have X installed.

Both the replies so far have made me realised that I'm guilty of
neglecting to include some relevant info.

When logged in via ssh, the session in which I do get prompted to
enter the passphrase, the output is as follows.

gpg: using PGP trust model
gpg: key B97DE878: accepted as trusted key
You need a passphrase to unlock the secret key for
user: "Bob"
4096-bit RSA key, ID B97DE878, created 2009-05-19

can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory
gpg: no running gpg-agent - starting one
[I am prompted to enter my passphrase via some sort of ncurses
interface. From output of strace it appears to be
/usr/bin/pinentry-curses]
File `/home/bob/rpmbuild/RPMS//repodata/repomd.xml.asc' exists.
Overwrite? (y/N) y
gpg: writing to `/home/bob/rpmbuild/RPMS//repodata/repomd.xml.asc'
gpg: RSA/SHA1 signature from: "B97DE878 Bob"

The "can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or
directory" message appears in both sessions. Hence the appearance of
this message does not appear to be related to my not being prompted to
enter the passphrase.

Also GPG_AGENT_INFO is not set in either the ssh or su sessions. Hence
it being set up properly or otherwise does not appear to be relevant
to my not being prompted to enter the passphrase in a su session.

Further investigation today reveals:

If I dump the output of env in the ssh session and in the su session
to files and then run diff I get

bob at foo:~> diff /tmp/env_ssh /tmp/env_su
8d7
< TERM=xterm
9a9
> TERM=xterm
12d11
< SSH_CLIENT=XXX.XXX.XXX.XXX 56278 22
15d13
< SSH_TTY=/dev/pts/0
26c24
< MAIL=/var/mail/bob
---
> MAIL=/var/spool/mail/bob
29d26
< SSH_SENDS_LOCALE=yes
47d43
< SSH_CONNECTION=XXX.XXX.XXX.XXX 56278 YYY.YYY.YYY.YYY 22

SSH_TTY is set in the ssh session but not the su session. Setting it
in the su session to the value it's set for by the user that ran su
doesn't help. (I.e. if I log in via ssh then check the value of
SSH_TTY, su to bob then set SSH_TTY to that value.)

When bob logs in, via ssh or via su, no gpg-agent process is started.
Under both sessions, after the attempt is made to sign a file, no
gpg-agent process is running. So when gpg says "gpg: no running
gpg-agent - starting one" presumably it starts one then kills it again
after the passphrase entry.

Under the su session, if I start a gpg-agent process manually I get this:

bob at foo:~> eval $(gpg-agent --daemon)
bob at foo:~> ps aux | grep gpg
bob        356  0.0  0.0   4016   480 ?        Ss   11:14   0:00
gpg-agent --daemon
bob        358  0.0  0.0   3232   728 pts/0    S+   11:14   0:00 grep gpg
bob at foo:~> echo $GPG_AGENT_INFO
/tmp/gpg-K81hbj/S.gpg-agent:356:1
bob at foo:~> gpg -a --detach-sign ~/rpmbuild/RPMS/repodata/repomd.xml

You need a passphrase to unlock the secret key for
user: "Bob"
4096-bit RSA key, ID B97DE878, created 2009-05-19

gpg: cancelled by user
gpg: no default secret key: General error
gpg: signing failed: General error

Again I'm not prompted to enter the passphrase.

So maybe the problem is that under su, gpg-agent fails to launch
/usr/bin/pinentry (which in turn decides whether to launch
pinentry-curses, or a QT or GTK equivalent). If I run gpg under strace
and look through the output there is no mention of /usr/bin/pinentry
being called, but there is in the ssh session. Why no attempt is to
launch /usr/bin/pinentry though I have not been able to determine.

thanks,

mike