[HELP] pinentry-curses breaks SSH auth, but pinentry-mac works fine?
Peter Lebbing
peter at digitalbrains.com
Thu Jul 13 12:50:22 CEST 2017
On 13/07/17 09:29, Ryan Lue wrote:
> 1) I keep my dotfiles synced between multiple machines, and so try my
> best to keep them platform-agnostic when I can. There are definitely
> times when I can use conditionals to get different behavior on
> different machines (like `if [ "$(uname)" = Darwin ]` in `.profile`),
> but I don't even know if it's possible to set up `gpg-agent.conf` to
> use `pinentry-mac` on one machine but `pinentry-gtk` on another.
Note how Debian handles system-wide, system-specific pinentry alternatives:
/etc/alternatives/pinentry -> /usr/bin/pinentry-gtk-2
/etc/alternatives/pinentry-x11 -> /usr/bin/pinentry-gtk-2
/usr/bin/pinentry -> /etc/alternatives/pinentry
/usr/bin/pinentry-curses
/usr/bin/pinentry-gtk-2
/usr/bin/pinentry-x11 -> /etc/alternatives/pinentry-x11
If you use just "pinentry" or "pinentry-x11", you then use the
alternatives system to select a specific one:
--8<---------------cut here---------------start------------->8---
# update-alternatives --config pinentry
There are 2 choices for the alternative pinentry (providing
/usr/bin/pinentry).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/pinentry-gtk-2 85 auto mode
1 /usr/bin/pinentry-curses 50 manual mode
2 /usr/bin/pinentry-gtk-2 85 manual mode
Press enter to keep the current choice[*], or type selection number:
--8<---------------cut here---------------end--------------->8---
It might give you an idea how to do it for you. I suspect it might even
work if you wrap your pinentry in a shell script using if [ "$(uname)"
but it lacks elegance.
> 2) I chanced upon this presentation from a 2015 conference where the
> presenter describes a setup for being able to ssh into a machine and
> use its private keys locally by forwarding the remote machine's
> gpg-agent socket to a local socket (slides 57–61 of 62):
>
> https://2015.rmll.info/IMG/pdf/an-advanced-introduction-to-gnupg.pdf
>
> and I imagine that just wouldn't work if you had graphical pinentry
> on the remote machine.
You could also use SSH's X forwarding. I haven't tried that, though.
> There were a lot of strong opinions being thrown around that thread. I
> suspect that a lot of people believe that taking an unconventional
> approach to security is tantamount to opposing best practices.
Hmmm, an understandable knee-jerk response. Knees don't always do your
best thinking, though.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170713/2b2f79b7/attachment.sig>
More information about the Gnupg-users
mailing list