[HELP] pinentry-curses breaks SSH auth, but pinentry-mac works fine?

Peter Lebbing peter at digitalbrains.com
Thu Jul 13 12:50:22 CEST 2017

On 13/07/17 09:29, Ryan Lue wrote:
> 1) I keep my dotfiles synced between multiple machines, and so try my
>    best to keep them platform-agnostic when I can. There are definitely
>    times when I can use conditionals to get different behavior on
>    different machines (like `if [ "$(uname)" = Darwin ]` in `.profile`),
>    but I don't even know if it's possible to set up `gpg-agent.conf` to
>    use `pinentry-mac` on one machine but `pinentry-gtk` on another.

Note how Debian handles system-wide, system-specific pinentry alternatives:

/etc/alternatives/pinentry -> /usr/bin/pinentry-gtk-2
/etc/alternatives/pinentry-x11 -> /usr/bin/pinentry-gtk-2
/usr/bin/pinentry -> /etc/alternatives/pinentry
/usr/bin/pinentry-x11 -> /etc/alternatives/pinentry-x11

If you use just "pinentry" or "pinentry-x11", you then use the
alternatives system to select a specific one:

--8<---------------cut here---------------start------------->8---
# update-alternatives --config pinentry
There are 2 choices for the alternative pinentry (providing

  Selection    Path                      Priority   Status
* 0            /usr/bin/pinentry-gtk-2    85        auto mode
  1            /usr/bin/pinentry-curses   50        manual mode
  2            /usr/bin/pinentry-gtk-2    85        manual mode

Press enter to keep the current choice[*], or type selection number:
--8<---------------cut here---------------end--------------->8---

It might give you an idea how to do it for you. I suspect it might even
work if you wrap your pinentry in a shell script using if [ "$(uname)"
but it lacks elegance.

> 2) I chanced upon this presentation from a 2015 conference where the
>    presenter describes a setup for being able to ssh into a machine and
>    use its private keys locally by forwarding the remote machine's
>    gpg-agent socket to a local socket (slides 57–61 of 62):
>    https://2015.rmll.info/IMG/pdf/an-advanced-introduction-to-gnupg.pdf
>    and I imagine that just wouldn't work if you had graphical pinentry
>    on the remote machine.

You could also use SSH's X forwarding. I haven't tried that, though.

> There were a lot of strong opinions being thrown around that thread. I
> suspect that a lot of people believe that taking an unconventional
> approach to security is tantamount to opposing best practices.

Hmmm, an understandable knee-jerk response. Knees don't always do your
best thinking, though.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170713/2b2f79b7/attachment.sig>

More information about the Gnupg-users mailing list