[HELP] pinentry-curses breaks SSH auth, but pinentry-mac works fine?

Peter Lebbing peter at digitalbrains.com
Fri Jun 30 18:29:41 CEST 2017


On 30/06/17 05:54, Ryan Lue wrote:
> Does it have something to do with the `$GPG_TTY` environment variable
> not being set on the SSH server?

Almost; it has to do with the GPG_TTY variable not being communicated to
the agent.  The agent does not know on which tty the request for a
pinentry is made. To use a text mode pinentry with SSH, you need to invoke:

$ gpg-connect-agent updatestartuptty /bye

on the tty where you'll be SSH'ing (or some variation, this one is
pretty succinct). Otherwise the pinentry will pop up on the tty where
you did that last, or the tty that started the agent if you never did
it. That tty might not exist, not exist anymore, or be in a surprising
location.

It would be really good if the SSH agent protocol would be extended to
communicate on which tty a request comes in. Without updates to the SSH
protocol, there is simply no way to know where it comes from.

However, I think many people work around this problem by a) using a
graphical pinentry and b) using a single graphical session. As long as
one also refrains from SSH'ing from a remote terminal, with the
combination, you've circumvented the problem by just using the
effectively singleton graphical session :-).

> I posted my guide on /r/linux, and you'd be surprised at how many
> people thought ssh authentication via gpg was an “unconventional
> hack”.

That is a surprising characterization. Do they also think this of the
GNOME and KDE SSH agents, to name two? I suspect those two are much more
widely used, which might eliminate the qualification "unconventional",
but that still begs, why "hack"?

I'd wager that this problem also occurs with the GNOME and KDE SSH
agents, if you for instance share a "screen" session with a Linux
virtual terminal (which would take care of sharing SSH_AGENT). My guess
is if you SSH from the virtual terminal, it'll freeze while your
"swapped out" graphical session invisibly prompts you to enter your
passphrase. But I haven't tried it.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170630/c96378ec/attachment.sig>


More information about the Gnupg-users mailing list