SSH and gpg2: pinentry errors hidden from view, agent refused operation

Thu, 30 Dec 2021 07:21:11 -0800 

Hello,

I have used GNUpg2 v 2.2.19 [1] to create an authentication RSA subkey
for use with SSH.  At one point, I got past pinentry's blocking of the
use of the private key and successfully logged in via SSH to the server
from the one session.  In order to test my notes (as I usually do) I
erased everything and started over with a newly created client-side
account and updated authorized_keys on the server.  Some step is missing
and I cannot figure out how to get pinentry involved to make the key
available for the SSH client to use again.

What else is needed to get pinentry invoked so that the SSH client can
connect using the GnuPG RSA key?

At this point the public key is visible in the SSH agent:

 $ ssh-add -l
 3072 SHA256:j0V4cVzC...NKQPA (none) (RSA)

and the public key has been saved in the default file:

 $ssh-add -L > ~/.ssh/id_rsa

and the SSH client seems to offer the public key to the server,

 $ time ssh -v server.example.org
 ...
 debug1: Next authentication method: publickey
 debug1: Offering public key: (none) RSA SHA256:j0V4cVzC...NKQPA agent
 debug1: Server accepts key: (none) RSA SHA256:j0V4cVzC...NKQPA agent
 sign_and_send_pubkey: signing failed for RSA "/home/lars/.ssh/id_rsa"
        from agent: agent refused operation
 ...
 debug1: Trying private key: /home/lars/.ssh/id_xmss
 debug1: No more authentication methods to try.
 debug1: Next authentication method: keyboard-interactive
 Connection closed by server.example.org port 22
 ssh -v server.example.org 0.00s user 0.00s system 0% cpu 2:05.81 total

The contents of gpg-agent.conf and gpg.conf are as follows:

 $ cat ~/.gnupg/gpg-agent.conf
 pinentry-program /usr/bin/pinentry-curses
 enable-ssh-support
 allow-loopback-pinentry

 $ cat ~/.gnupg/gpg.conf
 use-agent
 pinentry-mode loopback

I have set $GPG_TTY and $SSH_AUTH_SOCK

 $ export GPG_TTY=$(tty)
 $ gpg-connect-agent updatestartuptty /bye >/dev/null

 $ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

 $  gpg-agent status /bye
 gpg-agent[48580]: gpg-agent running and available

What else should I add, change, or read to get past the barrier of pinentry?

/Lars

[1]     $ apt-cache policy gnupg2  | head -n 2
        gnupg2:
          Installed: 2.2.19-3ubuntu2.1

        $ gpg2 --version | head -n 2
        gpg (GnuPG) 2.2.19
        libgcrypt 1.8.5

        $ lsb_release -rd
        Description:    Linux Mint 20.2
        Release:        20.2

        $ uname -prs
        Linux 5.4.0-91-generic x86_64

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to