Using a GnuPG crypted RSA key for SSH
Matthias Apitz
guru at unixarea.de
Thu May 2 10:33:15 CEST 2024
El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via Gnupg-users escribió:
> ...
> On Linux take care to add "enable-ssh-support" to gpg-agent.conf because
> on some distros the X config greps for this to decide whether to start
> the ssh-agent or leave this to gpg-agent. Technically the ssh support is
> always enabled and thus the option is not really required.
I have this working now already up the point that ssh asks the gpg-agent
to unlock the card and ask for the PIN to do so. But this is failing
because gpg-agent uses:
$ grep pinentry agent.tr
4692 execve("/usr/bin/pinentry", ["pinentry", "--display", ":0"], 0xffffa8004be0 /* 41 vars */) = 0
which fails with an unsupported ioctl to fd=0
while a command 'gpg -d foo.asc' works fine, and here gpg-agent uses
$ grep pinentry agent-gpg.tr
4997 read(10, "OPTION allow-pinentry-notify\n", 1002) = 29
4997 write(7, "chan_10 <- OPTION allow-pinentry"..., 40) = 40
5001 execve("/usr/bin/pinentry", ["pinentry"], 0xffffa80016d0 /* 41 vars */) = 0
i.e. the pinentry command without --display ...
my config file for gpg-agent look as:
$ cat .gnupg/gpg-agent.conf
enable-ssh-support
debug-pinentry
debug ipc
log-file /tmp/gpg-agent-debug.log
max-cache-ttl 1
# pinentry-program /usr/bin/pinentry
I tried to play with the config value of pinentry-program without luck.
The environment of the gpg-agent contains:
GNUPGHOME=/home/purism/.gnupg
GPG_TTY=not a tty
Any idea how to get gpg-agent asking correctly for the PIN?
matthias
--
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
I am not at war with Russia. Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.
More information about the Gnupg-users
mailing list