[HELP] pinentry-curses breaks SSH auth, but pinentry-mac works fine?
Ryan Lue
hello at ryanlue.com
Thu Jul 13 09:03:54 CEST 2017
Hi Daniel,
Yes, thanks, this absolutely did it! Sorry for not responding earlier —
I had intended to write a follow-up blog post that addressed this
question, along with that of forwarding the gpg-agent socket over SSH
with `ssh -R` (so that you can use your local machine's GPG private keys
in a remote session without having to manually copy them to another
machine), but figuring out how to do all that with pinentry-curses has
proven to be a real pickle.
So while I was originally going to wait until I'd finished that post and
send it back your way (as a weird kind of thank-you?), I'm just gonna
have to settle for actually saying “thank you” for the time being.
So, thanks.
—Ryan
On 2017 Jun 30, Daniel Kahn Gillmor wrote:
> Hi Ryan--
>
> On Fri 2017-06-30 11:54:46 +0800, Ryan Lue wrote:
> > But for some reason, it just doesn't work with `pinentry-curses`: SSH
> > (GPG) key authentication fails silently, and the server falls back to
> > password authentication. (I have made sure to set `$GPG_TTY`, so
> > `pinentry-curses` works just fine for everything else, just not SSH
> > authentication. For instance, I can `echo hello | gpg -s` and I'll get
> > the pinentry password prompt in the terminal.)
>
> setting GPG_TTY only works for clients that know to interpret it and to
> pass its value along to gpg-agent.
>
> when ssh is speaking to gpg-agent, it's using the ssh-agent protocol,
> which has no mechanism for passing this info to the agent.
>
> as a result, the agent (which *isn't* running attached to the current
> tty) can't tell pinentry which tty to use.
>
> have you tried doing this:
>
> GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye
>
> from the current terminal before trying to use ssh?
>
> i consider this a workaround (which isn't satisfactory for easy everyday
> use without better integration), but it's probably better than nothing.
>
> please let the list know if that workarund works for you!
>
> regards,
>
> --dkg
More information about the Gnupg-users
mailing list