Hello,
I have used GNUpg2 v 2.2.19 [1] to create an authentication RSA subkey
for use with SSH. At one point, I got past pinentry's blocking of the
use of the private key and successfully logged in via SSH to the server
from the one session. In order to test my notes (as I usually do) I
erased everything and started over with a newly created client-side
account and updated authorized_keys on the server. Some step is missing
and I cannot figure out how to get pinentry involved to make the key
available for the SSH client to use again.
What else is needed to get pinentry invoked so that the SSH client can
connect using the GnuPG RSA key?
At this point the public key is visible in the SSH agent:
$ ssh-add -l
3072 SHA256:j0V4cVzC...NKQPA (none) (RSA)
and the public key has been saved in the default file:
$ssh-add -L > ~/.ssh/id_rsa
and the SSH client seems to offer the public key to the server,
$ time ssh -v server.example.org
...
debug1: Next authentication method: publickey
debug1: Offering public key: (none) RSA SHA256:j0V4cVzC...NKQPA agent
debug1: Server accepts key: (none) RSA SHA256:j0V4cVzC...NKQPA agent
sign_and_send_pubkey: signing failed for RSA "/home/lars/.ssh/id_rsa"
from agent: agent refused operation
...
debug1: Trying private key: /home/lars/.ssh/id_xmss
debug1: No more authentication methods to try.
debug1: Next authentication method: keyboard-interactive
Connection closed by server.example.org port 22
ssh -v server.example.org 0.00s user 0.00s system 0% cpu 2:05.81 total
The contents of gpg-agent.conf and gpg.conf are as follows:
$ cat ~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-curses
enable-ssh-support
allow-loopback-pinentry
$ cat ~/.gnupg/gpg.conf
use-agent
pinentry-mode loopback
I have set $GPG_TTY and $SSH_AUTH_SOCK
$ export GPG_TTY=$(tty)
$ gpg-connect-agent updatestartuptty /bye >/dev/null
$ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
$ gpg-agent status /bye
gpg-agent[48580]: gpg-agent running and available
What else should I add, change, or read to get past the barrier of pinentry?
/Lars
[1] $ apt-cache policy gnupg2 | head -n 2
gnupg2:
Installed: 2.2.19-3ubuntu2.1
$ gpg2 --version | head -n 2
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
$ lsb_release -rd
Description: Linux Mint 20.2
Release: 20.2
$ uname -prs
Linux 5.4.0-91-generic x86_64
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
I have used GNUpg2 v 2.2.19 [1] to create an authentication RSA subkey
for use with SSH. At one point, I got past pinentry's blocking of the
use of the private key and successfully logged in via SSH to the server
from the one session. In order to test my notes (as I usually do) I
erased everything and started over with a newly created client-side
account and updated authorized_keys on the server. Some step is missing
and I cannot figure out how to get pinentry involved to make the key
available for the SSH client to use again.
What else is needed to get pinentry invoked so that the SSH client can
connect using the GnuPG RSA key?
At this point the public key is visible in the SSH agent:
$ ssh-add -l
3072 SHA256:j0V4cVzC...NKQPA (none) (RSA)
and the public key has been saved in the default file:
$ssh-add -L > ~/.ssh/id_rsa
and the SSH client seems to offer the public key to the server,
$ time ssh -v server.example.org
...
debug1: Next authentication method: publickey
debug1: Offering public key: (none) RSA SHA256:j0V4cVzC...NKQPA agent
debug1: Server accepts key: (none) RSA SHA256:j0V4cVzC...NKQPA agent
sign_and_send_pubkey: signing failed for RSA "/home/lars/.ssh/id_rsa"
from agent: agent refused operation
...
debug1: Trying private key: /home/lars/.ssh/id_xmss
debug1: No more authentication methods to try.
debug1: Next authentication method: keyboard-interactive
Connection closed by server.example.org port 22
ssh -v server.example.org 0.00s user 0.00s system 0% cpu 2:05.81 total
The contents of gpg-agent.conf and gpg.conf are as follows:
$ cat ~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-curses
enable-ssh-support
allow-loopback-pinentry
$ cat ~/.gnupg/gpg.conf
use-agent
pinentry-mode loopback
I have set $GPG_TTY and $SSH_AUTH_SOCK
$ export GPG_TTY=$(tty)
$ gpg-connect-agent updatestartuptty /bye >/dev/null
$ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
$ gpg-agent status /bye
gpg-agent[48580]: gpg-agent running and available
What else should I add, change, or read to get past the barrier of pinentry?
/Lars
[1] $ apt-cache policy gnupg2 | head -n 2
gnupg2:
Installed: 2.2.19-3ubuntu2.1
$ gpg2 --version | head -n 2
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
$ lsb_release -rd
Description: Linux Mint 20.2
Release: 20.2
$ uname -prs
Linux 5.4.0-91-generic x86_64
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
