[HELP] pinentry-curses breaks SSH auth, but pinentry-mac works fine?

Guilhem Moulin guilhem at fripost.org
Fri Jun 30 19:03:18 CEST 2017

On Fri, 30 Jun 2017 at 18:29:41 +0200, Peter Lebbing wrote:
> It would be really good if the SSH agent protocol would be extended to
> communicate on which tty a request comes in. Without updates to the SSH
> protocol, there is simply no way to know where it comes from.

I also hope some day this will happen :-)
> However, I think many people work around this problem by a) using a
> graphical pinentry and b) using a single graphical session. As long as
> one also refrains from SSH'ing from a remote terminal, with the
> combination, you've circumvented the problem by just using the
> effectively singleton graphical session :-).

Another other (somewhat ugly) hack is to define a ProxyCommand in your
ssh_config(5) file.

    ProxyCommand sh -c 'gpg-connect-agent updatestartuptty /bye >/dev/null && nc "$0" "$1"' %h %p

That one is particularly ugly as children are kept alive during the whole
time of the SSH session (and file descriptors are wasted for the pipe
and the socket):

    ssh example.net
      └─sh -c gpg-connect-agent updatestartuptty /bye >/dev/null && nc "$0" "$1" example.net 22
          └─nc odin.guilhem.org 22

With recent OpenSSH and OpenBSD's implementation of nc(1)
(netcat-openbsd package on Debian) it's possible to have the
ProxyCommand pass the connected socket back to ssh and exit, so there is
no wasted ressource during the session:

    ProxyCommand sh -c 'gpg-connect-agent updatestartuptty /bye >/dev/null && nc -F "$0" "$1"' %h %p
    ProxyUseFDpass yes

Still, it's unfortunate to have to fork a shell just for that.  I wrote
a little C wrapper (to call the Assuan command, connect to the remote
host, pass the descriptor, and exit) some time ago, but clearly the
proper fix is to extend the SSH agent protocol.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170630/028ec1f5/attachment.sig>

More information about the Gnupg-users mailing list