#835394 gnupg-agent: gpg agent refusing ssh agent work

Package:
gnupg-agent
Source:
gnupg2
Submitter:
Joerg Jaspert
Date:
2024-10-31 10:12:02 UTC
Severity:
normal
Tags:
#835394#5
Date:
2016-08-25 09:41:47 UTC
From:
To:
Dear Maintainer,

Since the upgrade to the newest gnupg-agent I had the problem that
gnupg-agent just refused any ssh agent work with a simple

sign_and_send_pubkey: signing failed: agent refused operation

which isn't all that helpful a message. I always had gnupg-agent
configured for the ssh-agent support and never run an ssh-agent
directly, which, until the upgrade, worked nicely.

Finally had time to look what broke in gnupg-agent - and it seems the
way its started now (or its now default way of working) is kinda stupid
compared to the past.

Past: An Xsession.d script that just had

$GPGAGENT --daemon --sh --enable-ssh-support --write-env-file=$PID_FILE $STARTUP

and whenever needed (my shell startup scripts) I fetched the agent vars
from that file. Works.

Now: "gpg agent started by systemd foo" for whatever reason. And the
script only exporting the SSH_AUTH_SOCK var.

The Now: is broken: It leaves people without a working ssh key agent. As
systemd starts it on whatever tty (maybe none). I finally found

$ gpg-connect-agent updatestartuptty /bye

somewhere in the manpage, and if I run that, ssh functionality is back.

I wonder if that shouldn't be run automagically at the time
SSH_AUTH_SOCK is exported. Its highly annoying and IMO a regression to
the past, if one has to manually do something to get ssh support running
in the agent.

#835394#18
Date:
2017-06-20 05:09:00 UTC
From:
To:
Just upgraded from Jessie to Stretch, same issue.

This used to just work
$ eval $(gpg-agent --enable-ssh-support)


But ssh connections now fail miserably.

I'm offered the ssh key pinentry popup, and then:
I also tried to kill all that dbus-* things before retrying.
I was provided with the curl-based pinentry popup but failed the same way.


ssh-agent and/or hardcoding IdentityFile still works (hopefully)

I also noticed that running gpg 2.1 $(gpg-agent --enable-ssh-support)
automatically provides two of my keys. ssh-add -D does not seem to
remove them from the (gpg)-agent.
I guess those are the only two which were inside my agent at the time
gpg 2.1 migrated them inside ~/.gnupg/private-keys-v1.d/

This may or may not be related to the issue.


NB: I don't use systemd

#835394#23
Date:
2017-06-22 17:05:38 UTC
From:
To:
On Tue, 20 Jun 2017 07:09, raphael.droz@gmail.com said:

Please don't do that anymore.

  SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
  export SSH_AUTH_SOCK

is the way to go.

Right.  gpg-agent takes a copy of the key and stored it in its own DB.


Shalom-Salam,

   Werner

#835394#28
Date:
2017-06-24 02:56:11 UTC
From:
To:
thanks for tip

good to know




But still, that's does not explain why my key (a password-less ssh-key
in this case) is refused by the agent:

Could the "agent" give me the *reason* why it didn't "want to sign"?
Any debugging/more verbose system here?

#835394#33
Date:
2017-06-25 00:56:32 UTC
From:
To:
Running the agent --debug 4096 --debug-level guru --daemon --min-passphrase-len 0

$ ssh my-vm

gpg-agent[29336]: ssh handler 0x------------ for fd 8 started
gpg-agent[29336]: ssh request handler for request_identities (11) started
gpg-agent[29336]: ssh request handler for request_identities (11) ready
gpg-agent[29336]: ssh request handler for sign_request (13) started
gpg-agent[29336]: DBG: agent_get_cache '4B9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA' (mode 4) ...
gpg-agent[29336]: DBG: ... miss
gpg-agent[29336]: starting a new PIN Entry
gpg-agent[29336]: DBG: connection to PIN entry established
** Message: Remote error from secret service: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.secrets was not provided by any .service files
Failed to lookup password for key s/4B9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA with secret service: The name org.freedesktop.secrets was not provided by any .service files
#### here ssh key PINentry popup => just enter (no passphrase) ####
gpg-agent[29336]: DBG: error calling pinentry: No passphrase given <GPG Agent>
gpg-agent[29336]: failed to unprotect the secret key: No passphrase given
gpg-agent[29336]: failed to read the secret key


I guess there may be something "special" against passphrase-less ssh keys, but
couldn't find any documentation/hints about this.

#835394#38
Date:
2018-01-25 21:53:18 UTC
From:
To:
Hi,

$work imposed using a yubikey on me for ssh auth. After a long painful
search on how to disable the gnome-keyring on mate, I finally had the
same issue as Ganneff, and it took me another long painful web search to
find out how to fix. So I also have to do:

gpg-connect-agent updatestartuptty /bye

to get the gpg-agent to prompt for the yubikey pin to fetch the key. I
would very much like to find a fix for this, typing it on each new
session is very annoying. I'm guessing this isn't the fault of
gnupg-agent, but whoever is starting it using the --supervised option. A
quick ps auxf shows:

 /lib/systemd/systemd --user
  \_ (sd-pam)
  \_ /usr/bin/gpg-agent --supervised
      \_ scdaemon --multi-server

and pstree output is:

systemd─┬
        ├─systemd─┬─(sd-pam)
        │         └─gpg-agent───scdaemon───2*[{pipe-connection}]

so really, it looks like systemd is the badly configured thing here.

Cheers,

Thomas Goirand (zigo)

#835394#43
Date:
2018-01-25 23:42:57 UTC
From:
To:
I don't see how systemd is "badly configured" -- the user service starts
up gpg-agent the first time it's needed.

gpg-agent itself invokes pinentry in order to talk to the user, so
pinentry needs to know some sort of environment information.

if you use pinentry-gnome3 (which is the preferred graphical pinentry)
it just needs to know the $DBUS_SESSION_BUS_ADDRESS, which should be
already available because the bus is already available at the time the
service is launched.  This will work whether you're running Wayland or
X11.

if you use pinentry-gtk2 or pinentry-qt within an X11 session, then
gpg-agent needs to know $DISPLAY and $XAUTHORITY so it can launch
pinentry.  These variables should be set into the systemd user service
activation environment when you log into a graphical session.  (i expect
"dbus-update-activation-environment --systemd DISPLAY XAUTHORITY" to be
invoked by however you start your X session -- if it's not happening,
that'd be good to know)

so as long as you don't try to use gpg-agent (either as ssh-agent or as
gpg-agent, or by explicitly "systemctl --user start gpg-agent.service")
before you've logged into your graphical user session, when gpg-agent is
launched, it will already know how to prompt you for a password for ssh,
and you shouldn't need to manually run workarounds like:

   gpg-connect-agent updatestartuptty /bye

If you can tell me how you start up your graphical session, maybe we can
track down the problem further.

Regards,

#835394#48
Date:
2018-10-07 17:46:38 UTC
From:
To:
Cheers,

I've been having the same issue, where I'm getting this error when ssh'ing
into just about anything:

sign_and_send_pubkey: signing failed: agent refused operation

I do indeed startup my graphical session in a non-standard way (for
unrelated reasons):

0. systemd is set to a text startup target.
1. I login to a tty text console.
2. I run startx

It may be worth noting that after my DE (Budgie) has started, I'm usually
prompted to enter my password to unlock the login keychain.

Like others in this thread have mentioned, running the following command
seems to fix everything until I shut down:

$ gpg-connect-agent updatestartuptty /bye

Some system info:
$ uname -a
Linux dawnrose 4.18.0-1-amd64 #1 SMP Debian 4.18.8-1 (2018-09-18) x86_64
GNU/Linux

Hope this can help!

Regards,
Sofus Rose

#835394#53
Date:
2018-10-08 06:16:24 UTC
From:
To:
I use this same workflow to start X11, and i don't have the problems
described.

what version of pinentry are you using?  do you have dbus-user-session
installed?

Regards,

#835394#58
Date:
2024-10-31 10:08:24 UTC
From:
To:

#835394#63
Date:
2024-10-31 10:09:44 UTC
From:
To: