Hello, I have struggled with getting GPG keys to work for SSH authentication for the better part of two days. I'm almost completely there, and would like to ask gnupg-users' help in understanding this one last quirk.
To be brief, I have gpg-agent set up with ssh support enabled. I'm using an authentication-only subkey for SSH authentication. If I _don't_ set a password on this subkey, I can log into my SSH servers no problem. This is what I'm doing right now, because my security needs are not very strict. It's when I _do_ set a password that I run into problems. Basically, there are two ways that I have figured out to get it to work: I can use the `pinentry-mac` GUI pinentry program, and everything works fine. Or, I can set `allow-preset-passphrase` and then manually cache the passphrase up front with `gpg-preset-passphrase`. (Only, that's problematic because it can't be automated without storing the passphrase in cleartext.) But for some reason, it just doesn't work with `pinentry-curses`: SSH (GPG) key authentication fails silently, and the server falls back to password authentication. (I have made sure to set `$GPG_TTY`, so `pinentry-curses` works just fine for everything else, just not SSH authentication. For instance, I can `echo hello | gpg -s` and I'll get the pinentry password prompt in the terminal.) So, why can't I use `pinentry-curses` for SSH authentication? Does it have something to do with the `$GPG_TTY` environment variable not being set on the SSH server? Any insight or clues on how to troubleshoot this problem would be deeply appreciated. (FWIW, I'm on Mac OS 10.11 El Capitan with GnuPG 2.1.21 and pinentry 1.0.0, both installed via Homebrew. And yes, I'm making the necessary changes to the `pinentry-program` setting in `~/.gnupg/gpg-agent.conf` when testing these alternatives.) —Ryan P.S. I've posted a guide on my blog with a comprehensive rundown of the steps I took to get it all set up — that might be able to clarify any questions you might have about my configuration: http://ryanlue.com/posts/2017-06-29-gpg-for-ssh-auth If Werner is interested, I think the official website could really use some friendlier Getting Started guides, and I'd be happy to contribute. I posted my guide on /r/linux, and you'd be surprised at how many people thought ssh authentication via gpg was an “unconventional hack”. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
