Hello,
I'm running Fedora 22. I'm trying to setup GnuPG to have my SSH connections authenticated using my PGP authentication subkey that is located on my Yubikey Neo.
I have a systemd unit starting the gpg-agent as following:
/usr/bin/gpg-agent --homedir=%h/.gnupg --daemon --use-standard-socket
And I have enabled SSH support in the configuration:
enable-ssh-support pinentry-program /usr/bin/pinentry-gtk
Other parts of the setup include adding the [keygrip][1] of my key to the ~/.gnupg/sshcontrol file, adding my [public key][2] to the remote host and declaring the [environment variables][3].
Globally looking at the various logs the setup wants to work, I can see that SSH is finding the key but actually failing to sign with it. If I look at the logs from gpg-agent, I can see that it is failing to launch the pinentry program and therefore, no requesting for the PIN code:
2015-07-22 23:23:28 gpg-agent[6758] DBG: error calling pinentry: Ioctl() inappropriate for a device <Pinentry> 2015-07-22 23:23:28 gpg-agent[6758] DBG: chan_8 -> BYE 2015-07-22 23:23:28 gpg-agent[6758] DBG: chan_7 -> CAN 2015-07-22 23:23:28 gpg-agent[6758] DBG: chan_7 <- ERR 100663573 The IPC call was canceled <SCD> 2015-07-22 23:23:28 gpg-agent[6758] smartcard signing failed: Ioctl() inappropriate for a device 2015-07-22 23:23:28 gpg-agent[6758] ssh sign request failed: Ioctl() inappropriate for a device <Pinentry>
What we see here is that when used in combination with SSH, some ioctl call is failing while calling pinentry. However if I run the following:
$ echo "Test" | gpg2 -s
The PIN window is popping up and it's all working fine.
Can you help me understand what's going on with this setup and SSH?
[1]: https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html [2]: https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045115.html [3]: https://www.gnupg.org/documentation/manuals/gnupg/Agent-Examples.html#Agent-...
___ Jimmy THRASIBULE thrasibule.jimmy@gmail.com
Hi,
I've found the answer on the [GPG Website][1] itself. The agent was failing to find on which screen to display the Pinentry window. I just had to put the following in my .*shrc file:
echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2&>1
[1]: https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html
__ Jimmy ___ Jimmy THRASIBULE thrasibule.jimmy@gmail.com
2015-07-22 23:41 GMT+02:00 Jimmy Thrasibule thrasibule.jimmy@gmail.com:
Hello,
I'm running Fedora 22. I'm trying to setup GnuPG to have my SSH connections authenticated using my PGP authentication subkey that is located on my Yubikey Neo.
I have a systemd unit starting the gpg-agent as following:
/usr/bin/gpg-agent --homedir=%h/.gnupg --daemon --use-standard-socketAnd I have enabled SSH support in the configuration:
enable-ssh-support pinentry-program /usr/bin/pinentry-gtkOther parts of the setup include adding the [keygrip][1] of my key to the ~/.gnupg/sshcontrol file, adding my [public key][2] to the remote host and declaring the [environment variables][3].
Globally looking at the various logs the setup wants to work, I can see that SSH is finding the key but actually failing to sign with it. If I look at the logs from gpg-agent, I can see that it is failing to launch the pinentry program and therefore, no requesting for the PIN code:
2015-07-22 23:23:28 gpg-agent[6758] DBG: error calling pinentry:Ioctl() inappropriate for a device <Pinentry> 2015-07-22 23:23:28 gpg-agent[6758] DBG: chan_8 -> BYE 2015-07-22 23:23:28 gpg-agent[6758] DBG: chan_7 -> CAN 2015-07-22 23:23:28 gpg-agent[6758] DBG: chan_7 <- ERR 100663573 The IPC call was canceled <SCD> 2015-07-22 23:23:28 gpg-agent[6758] smartcard signing failed: Ioctl() inappropriate for a device 2015-07-22 23:23:28 gpg-agent[6758] ssh sign request failed: Ioctl() inappropriate for a device <Pinentry>
What we see here is that when used in combination with SSH, some ioctl call is failing while calling pinentry. However if I run the following:
$ echo "Test" | gpg2 -sThe PIN window is popping up and it's all working fine.
Can you help me understand what's going on with this setup and SSH?
Jimmy THRASIBULE thrasibule.jimmy@gmail.com
-
Jimmy Thrasibule