[HELP] pinentry-curses breaks SSH auth, but pinentry-mac works fine?

Ryan Lue hello at ryanlue.com
Fri Jun 30 05:54:46 CEST 2017


Hello,

I have struggled with getting GPG keys to work for SSH authentication
for the better part of two days. I'm almost completely there, and would
like to ask gnupg-users' help in understanding this one last quirk.

To be brief, I have gpg-agent set up with ssh support enabled. I'm using an authentication-only subkey for SSH authentication.

If I _don't_ set a password on this subkey, I can log into my SSH
servers no problem. This is what I'm doing right now, because my
security needs are not very strict. It's when I _do_ set a password that
I run into problems. 

Basically, there are two ways that I have figured out to get it to work:
I can use the `pinentry-mac` GUI pinentry program, and everything works
fine. Or, I can set `allow-preset-passphrase` and then manually cache
the passphrase up front with `gpg-preset-passphrase`. (Only, that's
problematic because it can't be automated without storing the passphrase
in cleartext.)

But for some reason, it just doesn't work with `pinentry-curses`: SSH
(GPG) key authentication fails silently, and the server falls back to
password authentication. (I have made sure to set `$GPG_TTY`, so
`pinentry-curses` works just fine for everything else, just not SSH
authentication. For instance, I can `echo hello | gpg -s` and I'll get
the pinentry password prompt in the terminal.)

So, why can't I use `pinentry-curses` for SSH authentication? Does it
have something to do with the `$GPG_TTY` environment variable not being
set on the SSH server? Any insight or clues on how to troubleshoot this
problem would be deeply appreciated. 

(FWIW, I'm on Mac OS 10.11 El Capitan with GnuPG 2.1.21 and pinentry
1.0.0, both installed via Homebrew. And yes, I'm making the necessary
changes to the `pinentry-program` setting in `~/.gnupg/gpg-agent.conf`
when testing these alternatives.)

—Ryan

P.S. I've posted a guide on my blog with a comprehensive rundown of the
steps I took to get it all set up — that might be able to clarify any
questions you might have about my configuration:

http://ryanlue.com/posts/2017-06-29-gpg-for-ssh-auth

If Werner is interested, I think the official website could really use
some friendlier Getting Started guides, and I'd be happy to contribute.
I posted my guide on /r/linux, and you'd be surprised at how many people
thought ssh authentication via gpg was an “unconventional hack”.




More information about the Gnupg-users mailing list