[pkg-gnupg-maint] Bug#834368: gpg-agent's ssh-agent functionality

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Aug 30 06:14:12 UTC 2016 

On Mon 2016-08-29 21:59:30 -0400, brian m. carlson wrote:
> genre ok % gpg-connect-agent 'getinfo std_startup_env' /bye
> OK

interesting that this is empty for you.  I'm assuming that your agent is
started as a systemd user service, right?

that is, can you show me:

  systemctl --user status gpg-agent
  gpg-connect-agent 'getinfo pid' /bye

To verify that we're seeing the same pid?

If so, then i think the reason that we're seeing different values here
is that my system does have dbus-user-session installed, so my gpg-agent
systemd user service gets the initial startup environment variables
without my having to do anything else.

> genre ok % echo getpin | env -i DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=/run/user/1000/bus pinentry
> OK Pleased to meet you
>
> ** (pinentry:4864): WARNING **: couldn't create prompt for gnupg passphrase: Address element '/run/user/1000/bus' does not contain a colon (:)
> ERR 83886179 Operation cancelled <Pinentry>

Sigh, this was a bug in my recommended debugging script.
DBUS_SESSION_BUS_ADDRESS should have had unix:path= in there, as you can
see from my own examples.  you fixed it up here:

> genre ok % set |grep -a DBUS
> DBUS_SESSION_BUS_ADDRESS='unix:abstract=/tmp/dbus-cuRTQOMM9V,guid=13a091ac51e469798129363057c4e491'
>
> genre ok % echo getpin | env -i DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS pinentry
> OK Pleased to meet you
> D 123456
> OK
>
> # Saving a passphrase here makes this work automatically when run for a
> # second time.
> genre ok % env -i DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS pinentry <<EOF
> option allow-external-password-cache
> setkeyinfo testkey-for-pinentry
> getpin
> EOF
>
> OK Pleased to meet you
> OK
> OK
> D 123456
> OK

I'm assuming that the second time here produces an "S
PASSWORD_FROM_CACHE" status line as well, right?

So, if you do:

 gpg-connect-agent updatestartuptty /bye

and then:

 gpg-connect-agent 'getinfo std_startup_env' /bye

do you see some results?

If you then try pinentry with the stripped environment and no
DBUS_SESSION_BUS_ADDRESS at all it should continue working fine for
you.  can you confirm?


> I don't have dbus-user-session installed.
>
> Based on the description of the package, I don't think I want it
> installed, either.

You are trying to use gpg-agent with your login session as ssh-agent,
and you want gpg-agent to be able to talk to the gnome-keyring part of
your login session, which is done over dbus.

AIUI, you also want gpg-agent to be started when you need it for ssh.

you don't say why you don't want dbus-user-session installed -- do you
want multiple X11 sessions to run concurretly that are isolated from one
another?

If you don't want or need multiple X11 sessions to run separately from
each other, I see two options here:

 a) if you don't care about gpg-agent being shut down when you log out,
    and you don't mind having gpg-agent running well before need it,
    then you should disable the systemd user service, and ensure that
    your X11 login process invokes:

       gpg-connect-agent updatestartuptty /bye

 b) install dbus-user-session

In either case, though, i think you might be limited to having one X11
session open concurrently when it comes to thinking about gpg-agent in
its role as ssh-agent.

If you do need multiple isolated X11 sessions as the same user on the
same machine, i'm not sure how to achieve that for gpg-agent's ssh-agent
emulation in general -- the modern gpg-agent will try to use its
standard ssh socket, which is in one and exactly one place in the local
machine's filesystem.  when a second X11 session starts, either
updatestartuptty will redirect it to the new session (in which case all
ssh prompts are displayed on the new session) or it won't (in which case
all ssh prompts are displayed on the old session).

In addition, if you're trying to interact with gnome-keyring for secret
sharing, or with scdaemon for smartcard access, it seems likely that
that those daemons themselves will want to only be running at most once
per machine per user.

but maybe i'm getting hung up on the dbus-user-session question and you
don't want it installed for some other reason.  can you explain more?

thanks for the feedback,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160830/2be5261a/attachment-0002.sig>

More information about the pkg-gnupg-maint mailing list