Using a GnuPG crypted RSA key for SSH

Matthias Apitz guru at
Thu May 2 10:33:15 CEST 2024

El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via Gnupg-users escribió:

> ...
> On Linux take care to add "enable-ssh-support" to gpg-agent.conf because
> on some distros the X config greps for this to decide whether to start
> the ssh-agent or leave this to gpg-agent.  Technically the ssh support is
> always enabled and thus the option is not really required.

I have this working now already up the point that ssh asks the gpg-agent
to unlock the card and ask for the PIN to do so. But this is failing
because gpg-agent uses:

$ grep pinentry
4692  execve("/usr/bin/pinentry", ["pinentry", "--display", ":0"], 0xffffa8004be0 /* 41 vars */) = 0
which fails with an unsupported ioctl to fd=0

while a command 'gpg -d foo.asc' works fine, and here gpg-agent uses

$ grep pinentry
4997  read(10, "OPTION allow-pinentry-notify\n", 1002) = 29
4997  write(7, "chan_10 <- OPTION allow-pinentry"..., 40) = 40
5001  execve("/usr/bin/pinentry", ["pinentry"], 0xffffa80016d0 /* 41 vars */) = 0

i.e. the pinentry command without --display ...

my config file for gpg-agent look as:

$ cat .gnupg/gpg-agent.conf
debug ipc
log-file /tmp/gpg-agent-debug.log
max-cache-ttl 1
# pinentry-program /usr/bin/pinentry

I tried to play with the config value of pinentry-program without luck.
The environment of the gpg-agent contains:

GPG_TTY=not a tty

Any idea how to get gpg-agent asking correctly for the PIN?


Matthias Apitz, ✉ guru at, +49-176-38902045
Public GnuPG key:

I am not at war with Russia.  Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.

More information about the Gnupg-users mailing list