Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Help getting gtk or qt pinentry dialog forwarded over ssh connection
gnupg-users at gnupg
Jan 23, 2022, 6:12 PM
Post #1 of 3 (282 views)
Permalink
Hi

I have a very basic gnupg setup on a remote server, with the following options set for the gpg-agent. Please cc me on the replies since I have not subscribed.

#pinentry-program /usr/bin/pinentry-curses
#pinentry-program /usr/bin/pinentry-tty
#pinentry-program /usr/bin/pinentry-qt
#pinentry-program /usr/bin/pinentry-x11
#pinentry-program /usr/bin/pinentry-gnome3
# i have tried all the above pinentry programs
pinentry-program /usr/bin/pinentry-gtk-2
allow-loopback-pinentry
default-cache-ttl 14400
max-cache-ttl 14400
debug-pinentry
debug-level 1024

I have GPG_TTY=$(tty) set in my .bashrc. However, when I ssh in

ssh remote
gpg-connect-agent updatestartuptty /bye
gpg --decrypt

I always get a curses pinentry. My gnupg is version 2.2.12 on debian buster. Here is my log.

https://pastebin.com/APTRTJ5c

DBG: chan_9 -> OK Pleased to meet you, process 15072
DBG: chan_9 <- RESET
DBG: chan_9 -> OK
DBG: chan_9 <- OPTION ttyname=/dev/pts/1
DBG: chan_9 -> OK
DBG: chan_9 <- OPTION ttytype=xterm-256color
DBG: chan_9 -> OK
DBG: chan_9 <- OPTION display=localhost:11.0
DBG: chan_9 -> OK
DBG: chan_9 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/b
us
DBG: chan_9 -> OK
DBG: chan_9 <- OPTION lc-ctype=en_US.UTF-8
DBG: chan_9 -> OK
DBG: chan_9 <- OPTION lc-messages=en_US.UTF-8
DBG: chan_9 -> OK
DBG: chan_9 <- GETINFO version
DBG: chan_9 -> D 2.2.12
DBG: chan_9 -> OK
DBG: chan_9 <- OPTION allow-pinentry-notify
DBG: chan_9 -> OK
DBG: chan_9 <- OPTION agent-awareness=2.1.0
DBG: chan_9 -> OK
DBG: chan_9 <- HAVEKEY <redacted>
DBG: chan_9 -> OK
DBG: chan_9 <- SETKEY <redacted>
DBG: chan_9 -> OK
DBG: chan_9 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secr
et+key:
DBG: chan_9 -> OK
DBG: chan_9 <- PKDECRYPT
DBG: chan_9 -> S INQUIRE_MAXLEN 4096
DBG: chan_9 -> INQUIRE CIPHERTEXT
DBG: chan_9 <- [ redacted ]
DBG: chan_9 <- END
DBG: keygrip: redacted
DBG: cipher: redacted
DBG:
DBG:
sed for 30m)
DBG:
DBG:
ed cache key) ...
DBG:
Jan 23 21:03:04 mediaserver gpg-agent[15798]: starting a new PIN Entry
DBG: chan_11 <- OK Pleased to meet you, process 15798
DBG: connection to PIN entry established
DBG: chan_11 -> OPTION no-grab
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION ttyname=/dev/pts/1
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION ttytype=xterm-256color
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION lc-ctype=en_US.UTF-8
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION lc-messages=en_US.UTF-8
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION allow-external-password-cache
DBG: chan_11 <- OK Pleased to meet you, process 15798
DBG: connection to PIN entry established
DBG: chan_11 -> OPTION no-grab
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION ttyname=/dev/pts/1
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION ttytype=xterm-256color
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION lc-ctype=en_US.UTF-8
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION lc-messages=en_US.UTF-8
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION allow-external-password-cache
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION default-ok=_OK
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION default-cancel=_Cancel
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION default-yes=_Yes
DBG: chan_11 <- ERR 83886254 Unknown option <Pinentry>
DBG: chan_11 -> OPTION default-no=_No
DBG: chan_11 <- ERR 83886254 Unknown option <Pinentry>
DBG: chan_11 -> OPTION default-prompt=PIN:
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION default-pwmngr=_Save in password manager
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION default-cf-visi=Do you really want to make your passphrase visible on the screen?
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION default-tt-visi=Make passphrase visible
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION default-tt-hide=Hide passphrase
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION touch-file=/run/user/1000/gnupg/S.gpg-agent
DBG: chan_11 <- OK
DBG: chan_11 -> OPTION owner=15072 mediaserver
DBG: chan_11 <- OK
DBG: chan_11 -> GETINFO flavor
DBG: chan_11 <- D gtk2:curses
DBG: chan_11 <- OK
DBG: chan_11 -> GETINFO version
DBG: chan_11 <- D 1.1.0
DBG: chan_11 <- OK
DBG: chan_11 -> GETINFO ttyinfo
DBG: chan_11 <- D /dev/pts/1 xterm-256color -
DBG: chan_11 <- OK
DBG: chan_11 -> GETINFO pid
DBG: chan_11 <- D 15074
DBG: chan_11 <- OK
DBG: chan_9 -> INQUIRE PINENTRY_LAUNCHED 15074 gtk2:curses 1.1.0 /dev/pts/1 xterm-256color -
DBG: chan_9 <- END

Arjun

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Help getting gtk or qt pinentry dialog forwarded over ssh connection [ In reply to ]
gnupg-users at gnupg
Jan 24, 2022, 9:19 AM
Post #2 of 3 (282 views)
Permalink
On Sun, 23 Jan 2022 21:12, Arjun said:

> I have GPG_TTY=$(tty) set in my .bashrc. However, when I ssh in
>
> ssh remote

By default ssh does not allow X forwarding. You need to use an extra
option to ssh to allow X programs on the remote to work on your (local)
X-server.

A quick test is to run "xfd" If it runs and tells you no "no font to
display" you can run X programs (like pinentry-gtk) on the remote box.

If you do not fully trust the remote machine (and only then you should
use X forwarding), you may still use gpg/gpgsm on the remote box: See

https://wiki.gnupg.org/AgentForwarding


Salam-Shalom,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Attached Files:

Re: Help getting gtk or qt pinentry dialog forwarded over ssh connection [ In reply to ]
gnupg-users at lists
Jan 24, 2022, 1:17 PM
Post #3 of 3 (282 views)
Permalink
Hi Werner

I do know that I need to enable ssh X11 forwarding, and have tested it with ForwardX11 and ForwardX11Trusted
on (-X and -Y on the command line). Unfortunately, pin entry always defaults to tty. I fully trust the machine (it's mine). xfd does say "no font to display".

In fact, if I ssh in, and run

/usr/bin/pinentry-gtk-2
getpin

I do get an X11 window to type my pin into. When I type in

getinfo ttyinfo

it does say "gtk-2". However, the logs I attached say that when I run

gpg --decrypt ...

The GETINFO flavor command on pinentry gives

gtk2:curses

This is the reason I'm seeing a curses pinentry when I try to gpg --decrypt something. I don't know how to get my gpg-agent to give me an X11 pinentry.

Best
Arjun


Quoting Werner Koch (2022-01-24 12:19:09)
> On Sun, 23 Jan 2022 21:12, Arjun said:
>
> > I have GPG_TTY=$(tty) set in my .bashrc. However, when I ssh in
> >
> > ssh remote
>
> By default ssh does not allow X forwarding. You need to use an extra
> option to ssh to allow X programs on the remote to work on your (local)
> X-server.
>
> A quick test is to run "xfd" If it runs and tells you no "no font to
> display" you can run X programs (like pinentry-gtk) on the remote box.
>
> If you do not fully trust the remote machine (and only then you should
> use X forwarding), you may still use gpg/gpgsm on the remote box: See
>
> https://wiki.gnupg.org/AgentForwarding
>
>
> Salam-Shalom,
>
> Werner
>
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@lists.gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal