[pkg-gnupg-maint] Bug#854005: ssh-agent no longer works

Wouter Verhelst wouter at debian.org
Thu Feb 2 22:54:26 UTC 2017 

Package: gnupg-agent
Version: 2.1.18-3
Severity: normal

Hi,

Since a recent upgrade, gnupg-agent no longer finds the authentication
(SSH) key on my OpenPGP smartcard:

wouter at gangtai:~$ gpg --card-status

Reader ...........: ACS ACR38U 00 00
Application ID ...: D2760001240102010005000047360000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00004736
Name of cardholder: Wouter Verhelst
Language prefs ...: nl
Sex ..............: male
URL of public key :
http://pgp.surfnet.nl:11371/pks/lookup?op=get&search=0x9B69FDF3F0DA0948066129F72DFC519954181296
Login data .......: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 116
Signature key ....: 9B69 FDF3 F0DA 0948 0661  29F7 2DFC 5199 5418 1296
      created ....: 2016-04-11 11:46:27
Encryption key....: B057 2256 DD3D 8275 A1F2  3015 EBC4 535B 0557 DB14
      created ....: 2016-04-11 11:46:27
Authentication key: B7D1 52E7 6233 6135 DBEF  6435 965E 159D 1F28 844B
      created ....: 2016-04-11 11:46:27
General key info..: pub  rsa4096/2DFC519954181296 2016-04-11 Wouter
Verhelst <w at uter.be>
sec>  rsa4096/2DFC519954181296  created: 2016-04-11  expires: never     
                                card-no: 0005 00004736
ssb>  rsa4096/965E159D1F28844B  created: 2016-04-11  expires: never     
                                card-no: 0005 00004736
ssb>  rsa4096/EBC4535B0557DB14  created: 2016-04-11  expires: never     
                                card-no: 0005 00004736
wouter at gangtai:~$ echo "foo bar" | gpg -r 54181296 -e | gpg
gpg: please do a --check-trustdb
gpg: 54181296: skipped: public key already present
gpg: encrypted with 4096-bit RSA key, ID EBC4535B0557DB14, created
2016-04-11
      "Wouter Verhelst <w at uter.be>"
foo bar
wouter at gangtai:~$ echo $SSH_AUTH_SOCK 
/run/user/1000/gnupg/S.gpg-agent.ssh
wouter at gangtai:~$ ssh-add -l
The agent has no identities.

The interesting part of the above is that the last command (the "ssh-add
-l" bit) actually reads from the card (I can see the cardreader LED
flash).  It just doesn't find anything.

Note: I removed the "90gpg-agent" file from Xsession.d, since it messes
up some other SSH key setup that I have, very much in the same way that
gnome-keyring messes up gpg-agent. With the previous version of
gpg-agent, it was enough to just run "gpg --card-status" to start the
agent and make the ssh key stuff work.

Having to fight with all of that is pretty ironic, given that ssh-agent
actually supports external modules through PKCS#11. Ah well.

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unreleased'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, m68k, arm64

Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg-agent depends on:
ii  libassuan0                  2.4.3-2
ii  libc6                       2.24-9
ii  libgcrypt20                 1.7.6-1
ii  libgpg-error0               1.26-2
ii  libnpth0                    1.3-1
ii  libreadline7                7.0-2
ii  pinentry-curses [pinentry]  1.0.0-1
ii  pinentry-gnome3 [pinentry]  1.0.0-1

Versions of packages gnupg-agent recommends:
ii  gnupg  2.1.18-3

Versions of packages gnupg-agent suggests:
ii  dbus-user-session  1.10.14-1
ii  libpam-systemd     232-15
ii  pinentry-gnome3    1.0.0-1
ii  scdaemon           2.1.18-3

-- Configuration Files:
/etc/X11/Xsession.d/90gpg-agent changed:


-- no debconf information

More information about the pkg-gnupg-maint mailing list