SSH and gpg2: pinentry errors hidden from view, agent refused operation

Lars Noodén lars.nooden at gmx.com
Thu Dec 30 15:38:47 CET 2021 

Hello,

I have used GNUpg2 v 2.2.19 [1] to create an authentication RSA subkey
for use with SSH.  At one point, I got past pinentry's blocking of the
use of the private key and successfully logged in via SSH to the server
from the one session.  In order to test my notes (as I usually do) I
erased everything and started over with a newly created client-side
account and updated authorized_keys on the server.  Some step is missing
and I cannot figure out how to get pinentry involved to make the key
available for the SSH client to use again.

What else is needed to get pinentry invoked so that the SSH client can
connect using the GnuPG RSA key?

At this point the public key is visible in the SSH agent:

  $ ssh-add -l
  3072 SHA256:j0V4cVzC...NKQPA (none) (RSA)

and the public key has been saved in the default file:

  $ssh-add -L > ~/.ssh/id_rsa

and the SSH client seems to offer the public key to the server,

  $ time ssh -v server.example.org
  ...
  debug1: Next authentication method: publickey
  debug1: Offering public key: (none) RSA SHA256:j0V4cVzC...NKQPA agent
  debug1: Server accepts key: (none) RSA SHA256:j0V4cVzC...NKQPA agent
  sign_and_send_pubkey: signing failed for RSA "/home/lars/.ssh/id_rsa"
         from agent: agent refused operation
  ...
  debug1: Trying private key: /home/lars/.ssh/id_xmss
  debug1: No more authentication methods to try.
  debug1: Next authentication method: keyboard-interactive
  Connection closed by server.example.org port 22
  ssh -v server.example.org 0.00s user 0.00s system 0% cpu 2:05.81 total

The contents of gpg-agent.conf and gpg.conf are as follows:

  $ cat ~/.gnupg/gpg-agent.conf
  pinentry-program /usr/bin/pinentry-curses
  enable-ssh-support
  allow-loopback-pinentry

  $ cat ~/.gnupg/gpg.conf
  use-agent
  pinentry-mode loopback

I have set $GPG_TTY and $SSH_AUTH_SOCK

  $ export GPG_TTY=$(tty)
  $ gpg-connect-agent updatestartuptty /bye >/dev/null

  $ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

  $  gpg-agent status /bye
  gpg-agent[48580]: gpg-agent running and available

What else should I add, change, or read to get past the barrier of pinentry?

/Lars

[1]	$ apt-cache policy gnupg2  | head -n 2
	gnupg2:
	  Installed: 2.2.19-3ubuntu2.1

	$ gpg2 --version | head -n 2
	gpg (GnuPG) 2.2.19
	libgcrypt 1.8.5

	$ lsb_release -rd
	Description:    Linux Mint 20.2
	Release:        20.2

	$ uname -prs
	Linux 5.4.0-91-generic x86_64

More information about the Gnupg-users mailing list