[pkg-gnupg-maint] Bug#830658: Bug#830658: gpg-agent: cannot talk to libsecret when started from systemd
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Aug 5 16:52:24 UTC 2016
Control: retitle 830658 gpg-agent: cannot talk to libsecret when used as ssh-agent and not started from the same session
Control: tags 830658 + help upstream
Hi Brian--
On Sat 2016-07-09 18:58:43 -0400, brian m. carlson wrote:
> The recommended way to use gpg-agent, according to README.Debian, is to
> use systemd to start it automatically in the session. However, when
> doing that, the agent does not inherit $DISPLAY. This prevents dbus,
> and hence the libsecret integration in pinentry-gnome3, from working.
> Since my passphrases are stored in my desktop's keyring integration, I
> can't use my SSH keys:
>
> genre ok % ssh -oGSSAPIAuthentication=no castro
> sign_and_send_pubkey: signing failed: agent refused operation
> sign_and_send_pubkey: signing failed: agent refused operation
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
>
> A dump of the environment from such a gpg-agent process follows:
>
> HOME=/home/bmc\0LANG=en_US.UTF-8\0LOGNAME=bmc\0PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\0SHELL=/bin/zsh\0TEMP=/tmp/user/1000\0TEMPDIR=/tmp/user/1000\0TMP=/tmp/user/1000\0TMPDIR=/tmp/user/1000\0USER=bmc\0XDG_RUNTIME_DIR=/run/user/1000\0MANAGERPID=2813\0
>
> As you'll notice, it's lacking the most rudimentary X environment
> variables.
Thanks for this report (and sorry for the delay in response).
This isn't a problem for the normal uses of gpg-agent (whether started
in-session, via systemd, or even in a separate session), because gpg
knows to send gpg-agent X11 and dbus session credentials on each use.
It's a problem when gpg-agent is used as ssh-agent, because the
ssh-agent protocol doesn't have any way to transmit these configuration
preferences. This isn't just true for systemd-managed services, it's
also true for a gpg-agent used across concurrent sessions (i.e. started
in session A and then accessed from session B).
So i'm not sure what the right approach is here; there's something of an
impedence mismatch between OpenSSH's agent and GnuPG's agent, and having
one pretend to be the other ends up with this sort of friction.
By "impedence mismatch" i mean things like the following:
* ssh-agent expects to be run ephemerally, with basically no access to
the filesystem other than to launch ssh-askpass when needed, and gets
its keys after each initialization by explicit handoff from the user.
gpg-agent expects to read and manage its ~/.gnupg/private-keys-v1.d
directory (where its secret key material is stored) and spawns
scdaemon (if needed/installed) in addition to spawning pinentry.
* ssh-agent is configured at process initialization about how and where
to prompt for confirmation, and is configured at key-load about
whether to prompt for the use of a given key. gpg-agent is
configured at *use* time about how and where and whether to prompt
for the use of a given key.
Their associated non-daemonized tools (at least gpg and ssh) make some
assumptions about these patterns.
I'd welcome help in resolving this, but i'm not sure what the right
thing to do is.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160805/81bf3f36/attachment-0003.sig>
More information about the pkg-gnupg-maint
mailing list