On 30/06/17 05:54, Ryan Lue wrote: > Does it have something to do with the `$GPG_TTY` environment variable > not being set on the SSH server?
Almost; it has to do with the GPG_TTY variable not being communicated to the agent. The agent does not know on which tty the request for a pinentry is made. To use a text mode pinentry with SSH, you need to invoke: $ gpg-connect-agent updatestartuptty /bye on the tty where you'll be SSH'ing (or some variation, this one is pretty succinct). Otherwise the pinentry will pop up on the tty where you did that last, or the tty that started the agent if you never did it. That tty might not exist, not exist anymore, or be in a surprising location. It would be really good if the SSH agent protocol would be extended to communicate on which tty a request comes in. Without updates to the SSH protocol, there is simply no way to know where it comes from. However, I think many people work around this problem by a) using a graphical pinentry and b) using a single graphical session. As long as one also refrains from SSH'ing from a remote terminal, with the combination, you've circumvented the problem by just using the effectively singleton graphical session :-). > I posted my guide on /r/linux, and you'd be surprised at how many > people thought ssh authentication via gpg was an “unconventional > hack”. That is a surprising characterization. Do they also think this of the GNOME and KDE SSH agents, to name two? I suspect those two are much more widely used, which might eliminate the qualification "unconventional", but that still begs, why "hack"? I'd wager that this problem also occurs with the GNOME and KDE SSH agents, if you for instance share a "screen" session with a Linux virtual terminal (which would take care of sharing SSH_AGENT). My guess is if you SSH from the virtual terminal, it'll freeze while your "swapped out" graphical session invisibly prompts you to enter your passphrase. But I haven't tried it. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
