Project

General

Profile

Bug #12349

gpg-agent can't handle ssh & can't be adjusted

Added by orange over 2 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Hardware support
Target version:
Start date:
03/15/2017
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

In the 3.0 Beta 1 and Alpha you could force the gpg-agent to authenticate SSH sessions via "gpg-agent --ssh-support-enable --daemon " '' being the command to use authenticate the session of (like git, scp, sshfs or ssh itself) this is useful for those who don't want to maintain multiple keys, for those who use OpenPGP cards for signing & authenticating rather than persistance and for those given access to SSH servers by their PGP public keys.
Usually a "pkill gpg-agent" would solve the issue but now gpg-agent refuses to start with ssh-support. Adding "ssh-support-enable" to gpg-agent.conf and then "pkill gpg-agent" also does not fix this.
I don't know what is causing the issue. I don't know if having ssh-support on by default is a potential security issue (I'm not sure of the mechanics of turning a GPG-SSH public key back into a PGP public key) but I would like to suggest it as a solution.

History

#1 Updated by intrigeri over 2 years ago

  • Affected tool deleted (OpenPGP Applet)

#2 Updated by intrigeri over 2 years ago

  • Assignee set to orange
  • QA Check changed from Dev Needed to Info Needed

In the 3.0 Beta 1 and Alpha you could force the gpg-agent to authenticate SSH sessions via "gpg-agent --ssh-support-enable --daemon " '' being the command to use authenticate the session of (like git, scp, sshfs or ssh itself) this is useful for those who don't want to maintain multiple keys, for those who use OpenPGP cards for signing & authenticating rather than persistance and for those given access to SSH servers by their PGP public keys.

Sure. I think that's now supported out of the box, provided one uses the correct socket to talk to a SSH-enabled gpg-agent. Details follow.

Usually a "pkill gpg-agent" would solve the issue

OK.

but now gpg-agent refuses to start with ssh-support.

That is? What are you doing and what's the resulting behavior?

Adding "ssh-support-enable" to gpg-agent.conf and then "pkill gpg-agent" also does not fix this.

I think that nowadays there's a dedicated socket for SSH support in gpg-agent, that's handled by the gpg-agent-ssh.socket systemd (user) service:

amnesia@amnesia:~$ systemctl --user status gpg-agent-ssh.socket 
● gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation)
Loaded: loaded (/usr/lib/systemd/user/gpg-agent-ssh.socket; disabled; vendor 
Active: active (running) since Fri 2017-03-17 17:34:06 UTC; 22s ago
Docs: man:gpg-agent(1)
man:ssh-add(1)
man:ssh-agent(1)
man:ssh(1)
Listen: /run/user/1000/gnupg/S.gpg-agent.ssh (Stream)

and:

amnesia@amnesia:~$ ls /run/user/1000/gnupg/
S.dirmngr  S.gpg-agent  S.gpg-agent.browser  S.gpg-agent.extra  S.gpg-agent.ssh

So it looks like ssh-support-enable is not needed anymore, and you already have a socket to talk to a SSH-enabled gpg-agent :)

Can you please try using it and report back?

#3 Updated by orange over 2 years ago

So i've tried again in beta~3. I neglected to mention that specifically I am using a OpenPGP card in the form of a Yubikey (although this wasnt an issue in the past).
However I did what you asked me to try, and "export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh" worked.

Thanks for your help!

#4 Updated by intrigeri over 2 years ago

  • Status changed from New to Rejected

However I did what you asked me to try, and "export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh" worked.

Great!

Also available in: Atom PDF