[pkg-gnupg-maint] Bug#834368: gpg-agent's ssh-agent functionality

brian m. carlson sandals at crustytoothpaste.net
Wed Aug 31 01:44:43 UTC 2016 

On Tue, Aug 30, 2016 at 02:14:12AM -0400, Daniel Kahn Gillmor wrote:
> On Mon 2016-08-29 21:59:30 -0400, brian m. carlson wrote:
> > genre ok % gpg-connect-agent 'getinfo std_startup_env' /bye
> > OK
> 
> interesting that this is empty for you.  I'm assuming that your agent is
> started as a systemd user service, right?
> 
> that is, can you show me:
> 
>   systemctl --user status gpg-agent
>   gpg-connect-agent 'getinfo pid' /bye
> 
> To verify that we're seeing the same pid?

Yup.  Both show the same PID.

> > # Saving a passphrase here makes this work automatically when run for a
> > # second time.
> > genre ok % env -i DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS pinentry <<EOF
> > option allow-external-password-cache
> > setkeyinfo testkey-for-pinentry
> > getpin
> > EOF
> >
> > OK Pleased to meet you
> > OK
> > OK
> > D 123456
> > OK
> 
> I'm assuming that the second time here produces an "S
> PASSWORD_FROM_CACHE" status line as well, right?

Yes, there is.

> So, if you do:
> 
>  gpg-connect-agent updatestartuptty /bye
> 
> and then:
> 
>  gpg-connect-agent 'getinfo std_startup_env' /bye
> 
> do you see some results?

I see output after this, but my SSH agent still doesn't work:

genre ok % gpg-connect-agent updatestartuptty /bye
OK
genre ok % gpg-connect-agent 'getinfo std_startup_env' /bye
D GPG_TTY=/dev/pts/19
D TERM=screen-256color
D DISPLAY=:0
D XAUTHORITY=/home/bmc/.Xauthority
D DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-cuRTQOMM9V,guid=13a091ac51e469798129363057c4e491
OK
genre ok % git push def HEAD
sign_and_send_pubkey: signing failed: agent refused operation
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

> > I don't have dbus-user-session installed.
> >
> > Based on the description of the package, I don't think I want it
> > installed, either.
> 
> You are trying to use gpg-agent with your login session as ssh-agent,
> and you want gpg-agent to be able to talk to the gnome-keyring part of
> your login session, which is done over dbus.
> 
> AIUI, you also want gpg-agent to be started when you need it for ssh.
> 
> you don't say why you don't want dbus-user-session installed -- do you
> want multiple X11 sessions to run concurretly that are isolated from one
> another?

I want my TTY sessions to be completely isolated from my X11 session.
If I'm logging into a non-X11 session, my system is in a bad state and
I'm trying to fix it.  Shared state is not helpful there, and I
certainly don't want D-Bus involved at all in a TTY session.

Also, philosophically, init should start and stop services, not manage
IPC, run cron jobs, handle NTP, or other unrelated tasks.

> If you don't want or need multiple X11 sessions to run separately from
> each other, I see two options here:
> 
>  a) if you don't care about gpg-agent being shut down when you log out,
>     and you don't mind having gpg-agent running well before need it,
>     then you should disable the systemd user service, and ensure that
>     your X11 login process invokes:
> 
>        gpg-connect-agent updatestartuptty /bye
> 
>  b) install dbus-user-session

Can we have gpg-agent ship an entry in /etc/xdg/autostart that starts it
automatically (e.g. gpg-connect-agent /bye)?  That seems to be the most
robust solution.  The systemd solution seems too brittle.  Specifically,
we want gpg-agent to inherit all of the user's environment, and systemd
wants desperately to isolate processes from it.

This would work equally well with the dbus-user-session model, and a lot
better for the single-X11-session model.

What I'm doing now is this in my .zshenv (which is revolting and clearly
the wrong place, but it works):

setup_ssh_agent () {
	local i
	is_ssh_session && return
	grep enable-ssh-support ~/.gnupg/gpg-agent.conf 2>/dev/null | \
		grep -qsv '^#' || return
	gpg-connect-agent /bye >/dev/null 2>&1
	for i in "$(gpgconf --list-dirs | grep '^agent-socket:' | cut -d: -f2)" \
		"$HOME/.gnupg/S.gpg-agent" \
		"/run/user/$(id -u)/gnupg/S.gpg-agent"
	do
		[[ -S "$i.ssh" ]] && export SSH_AUTH_SOCK="$i.ssh"
	done
}

My .Xsession invokes (roughly) zsh -c mate-session.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160831/4a96e8be/attachment-0001.sig>

More information about the pkg-gnupg-maint mailing list