[pkg-gnupg-maint] Bug#818969: gnupg-agent: gpg-agent passes not yet available when used as ssh-agent

Mariusz Gronczewski xani666 at gmail.com
Tue Mar 22 11:59:10 UTC 2016


Package: gnupg-agent
Version: 2.1.11-6
Severity: important

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg-agent depends on:
ii  libassuan0                  2.4.2-3
ii  libc6                       2.22-3
ii  libgcrypt20                 1.6.5-2
ii  libgpg-error0               1.21-2
ii  libnpth0                    1.2-3
ii  libreadline6                6.3-8+b4
ii  pinentry-gnome3 [pinentry]  0.9.7-5
ii  pinentry-gtk2 [pinentry]    0.9.7-5

Versions of packages gnupg-agent recommends:
ii  gnupg   1.4.20-4
ii  gnupg2  2.1.11-6
ii  gpgsm   2.1.11-6

gnupg-agent suggests no packages.

Config:

default-cache-ttl 86400
default-cache-ttl-ssh 86400
max-cache-ttl 864000
max-cache-ttl-ssh 864000
enable-ssh-support
log-file /tmp/gpg-agent-xani.log


I also have smartcard. Config works correctly when using just GPG functions
(including correct pinentry), but it doesnt allow unlocking any of the keys
via ssh:

-> ᛯ ssh-add -l
2048 SHA256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz8 cardno:000000000001
(RSA)
2048 SHA256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaKw .ssh/keys/artekey
(RSA)
2048 SHA256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz8 (none) (RSA)

-> ᛯ ssh stonka
sign_and_send_pubkey: signing failed: agent refused operation
Permission denied (publickey).

generates log:

2016-03-22 12:32:14 gpg-agent[28884] failed to unprotect the secret key: No
passphrase given
2016-03-22 12:32:14 gpg-agent[28884] failed to read the secret key
2016-03-22 12:32:14 gpg-agent[28884] ssh sign request failed: No passphrase
given <GPG Agent>

I've also tried setting GPG_TTY=$(tty), no difference, same with running
gpg-agent with session vs. just running from terminal. At all times, it
correctly asks for passphrase when used with GPG operations.

looking at strace it spawns correct
[pid 14175] execve("/usr/bin/pinentry-gnome3", ["pinentry-gnome3",
"--display", ":0"], [/* 57 vars */]) = 0

running with debug-pinentry looks like it tries to use options that are not
available in current pinentry version (ive also tried pinentry-x11, didnt
help

2016-03-22 12:51:39 gpg-agent[20069] starting a new PIN Entry
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK Pleased to meet you,
process 20069
2016-03-22 12:51:39 gpg-agent[20069] DBG: connection to PIN entry
established
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION grab
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION
ttyname=/dev/pts/2
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION
ttytype=xterm-256color
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION
lc-ctype=pl_PL.UTF-8
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION
allow-external-password-cache
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION default-ok=_OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION
default-cancel=_Cancel
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION default-yes=_Yes
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- ERR 83886254 Unknown
option <Pinentry>
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION default-no=_No
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- ERR 83886254 Unknown
option <Pinentry>
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION
default-prompt=PIN:
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION
default-pwmngr=_Save in password manager
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION
default-cf-visi=Do you really want to make your passphrase visible on the
screen?
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- ERR 83886254 Unknown
option <Pinentry>
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION
default-tt-visi=Make passphrase visible
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- ERR 83886254 Unknown
option <Pinentry>
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION
default-tt-hide=Hide passphrase
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- ERR 83886254 Unknown
option <Pinentry>
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> OPTION
touch-file=/home/xani/.gnupg/S.gpg-agent
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> GETINFO pid
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- D 20180
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> SETKEYINFO
s/C8E595D3AB34F640AD9B36BB91FB6407BC8EE204
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> SETDESC Please enter
the passphrase for the ssh key%0A
 aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:a:aa:aa:f9:c5:c7%0A  (.ssh/keys/arte.key)
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> SETPROMPT Passphrase:
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- OK
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> [[Confidential data not
shown]]
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- [[Confidential data not
shown]]
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 <- [[Confidential data not
shown]]
2016-03-22 12:51:39 gpg-agent[20069] DBG: error calling pinentry: No
passphrase given <GPG Agent>
2016-03-22 12:51:39 gpg-agent[20069] DBG: chan_8 -> BYE
2016-03-22 12:51:39 gpg-agent[20069] failed to unprotect the secret key: No
passphrase given

-- 
Mariusz Gronczewski (XANi) <xani666 at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160322/84fc2672/attachment.html>


More information about the pkg-gnupg-maint mailing list