Hi Adam, Julien-- On Mon 2016-12-05 18:23:14 -0500, Adam Borowski wrote: > Same if you have a running X session but try to sign from the console; > killing the gpg-agent doesn't help.
Please see https://bugs.debian.org/842015 for a very lengthy discussion of this issue. I think this is the same thing, so i'm inclined to merge it in with that bug report (and the other three bug reports already merged there). The issue is: a) user has a graphical session b) gpg-agent is running, and knows it is associated with that session c) user connects to the same machine over SSH, and shares part of that session (e.g. via dbus-user-session), and asks the agent for use of secret key material. d) if the agent already has the passphrase cached, it continues on its way. if not, the agent needs to prompt the user, so it asks pinentry to do that job. e) depending on the pinentry installed, pinentry can prompt the user via one of three different ways, all of which are passed by gpg to gpg-agent via environment variables: * the terminal in use ($GPG_TTY) * the X11 display connected to ($DISPLAY) * the d-bus session ($DBUS_SESSION_BUS_ADDRESS) f) in the event that the prompting is done via d-bus (pinentry-gnome3's default), the prompt is displayed in the graphical session, because there is exactly one graphical session in use. in the scenario where the user only has access to the ssh session, prompting graphically doesn't help. however, if the GNOME graphical session is locked, or the user is not logged in on the graphical console, then the prompting falls back to the terminal in use. So I think the problem you're describing is only happening when: 0) pinentry-gnome3 is the default pinentry on the system, and 1) dbus-user-session is installed and configured, and 2) the user is logged into the system via ssh, and 3) the user is *also* logged into the graphical console, and 4) the graphical console is not screenlocked. This is an worrisome way to operate the agent, since it grants access to your keys to anyone sitting at the unlocked console, but i understand that it is something that happens in some cases. Does this describe your use case, or is there something different? --dkg
signature.asc
Description: PGP signature
