Kmail and gpg-agent

as we have now gpg-agent in the repos, i just wondered why kmail do not work with it
i did everything from http://kmail.kde.org/kmail-pgpmime-howto.html
but still kmail is opening the dialogue to type the passphrase and kgpg is complaining now this:
i'm starting gpg-agent from ~/.xinitrc with this line:
gpg-agent --daemon
and
[damir@Asteraceae ~]$ ps -e | grep gpg-agent
6628 ? 00:00:00 gpg-agent
thanx in advance for any help

tpowa wrote:strange you also did that pinentry stuff?
i have
pinentry-program /usr/bin/pinentry-qt
in ~/.gnupg/gpg-agent.conf, if you mean that ... maybe there is some other things to do?
tpowa wrote:i didn't test the funcionality of gpg
can someone do some reasearch on that
kde 3.3.2 is round the corner would be great if it works till then
yea, that would be nice ...
well, without the gpg-agent (the classical way), gpg works fine, but it is not really cool having to type a long passphrase each time you send a signed email (especially, if you write lots of emails to lots of different peoples /day)
here the dialogue i get always when i want to send an email (in kde 3.3.x the gpg-agent lines are new, but the dialogue itself is old (since 3.1.4 working fine the classical way))

Similar Messages

KDE4.1 ssh-agent and gpg-agent

Suddenly after an update of kdeworkspace my ssh-agent and gpg-agent have stopped working. Does anyone else have also this problem?
Regards,

I've also had this problem, although I don't know the exact time it stopped working as I have not had to use my laptop to ssh for a while.
Everything seems to get created OK - the socket is created:
[daren@daren_laptop env]$ ll /tmp/gpg-MZi0kX/
total 0
srwxr-xr-x 1 daren daren 0 2009-01-18 10:06 S.gpg-agent
and the env variable points to it:
[daren@daren_laptop env]$ env | grep GPG
GPG_AGENT_INFO=/tmp/gpg-MZi0kX/S.gpg-agent:4508:1
and the agent is running on the correct pid:
[daren@daren_laptop env]$ ps axf | grep gpg-agent
4508 ? Ss 0:00 gpg-agent --daemon
4902 pts/0 R+ 0:00 \_ grep gpg-agent
If i run ssh-add from the command line, I get this:
[daren@daren_laptop env]$ ssh-add
Could not open a connection to your authentication agent.
[daren@daren_laptop env]$
I'm not that clued up on using the agent - it's always "just worked" after adding the script to ~/.kde4/env, but I'm kind of stuck now. There was another post about issues with KDE 4.1 and the agents, but they resolved theirs by doing what I've had setup for a while now.

Kmail and gpg support (decryption troubles)

I can sign mails, encrypt them and verify signatures, but I'm unable to decrypt messages. I get following error:
Encrypted message (decryption not possible)
Reason: Crypto plug-in "openpgp" could not decrypt the data.
Error: Bad passphrase
It seems to be related to a missing gpg-agent, but I cannot find it in the Arch packages. Is it packaged for Arch? Are there ways to proceed without gpg-agent? Other solutions?
Thanks in adv!

evdvelde wrote:
Jacob wrote:The problem here is that Arch uses gpg 1.4.2, to have the program "gpg-agent" we need gpg version 1.9 (which is a beta).
Then why did it work with earlier kmail versions? What was different? I think it should be possible not to use the gpg-agent as it is only there to remember your passphrase for a while, decryption is done by the 'normal' gpg. However... I did not find the trick
I'll show you what's different, kmail changed... Look here:
http://www.linuxjournal.com/articles/lj … 7354f3.png
see the option "keep passphrase in memory", oh how I wish our newer/shiney-er versions had that option.
It seems that kmail doesn't have that option anymore, they might have offloaded it to kgpg (which makes more sense from a design perspective). But as a result we either need gpg 1.9 (for it's gpg-agent) then toggle that option "on" in kgpg's configuration settings (under GnuPG Settings-> "Use GnuPG agent") And pray it's all integrated and has worked out all the kinks.
Jacob

Keychain and gpg-agent not getting along

I have a problem with gpg-agent. I have been using the Funtoo keychain tool for a while, for my SSH keys exclusively. Works flawlessly - I log in, I call keychain, I type in my passphrases, and it caches my keys. Never get prompted for a passphrase during SSH connection attempts.
GPG is a different story. I have a GPG key, and I occasionally en- and decrypt files with it. So far so good. I also found out how to get keychain to cache the GPG key. It also picks up my gpg-agent, which is started as per the wiki entry (except that instead of putting it systemwide in /etc/profile.d, I put it in Openbox's ~/.config/openbox/environment file, which is where the SSH agent stuff is supposed to go as well.
Gpg-agent seemingly launches fine, it exports its environment variables just fine:
$ echo $GPG_AGENT_INFO
/tmp/gpg-3faT29/S.gpg-agent:2352:1
$ cat .gnupg/gpg-agent.env
GPG_AGENT_INFO=/tmp/gpg-3faT29/S.gpg-agent:2352:1
There's only one gpg-agent process running:
$ ps aux|grep gpg-agent
luser 2352 0.0 0.0 16252 1184 ? Ss 00:00 0:00 gpg-agent --daemon --write-env-file /home/stijn/.gnupg/gpg-agent.env
luser 3411 0.0 0.0 9276 1016 pts/0 S+ 00:16 0:00 grep gpg-agent
Keychain picks that up as well:
$ keychain --eval
* keychain 2.7.1 ~ http://www.funtoo.org
* Found existing ssh-agent: 2346
SSH_AUTH_SOCK=/tmp/ssh-YhDgORoL2345/agent.2345; export SSH_AUTH_SOCK;
SSH_AGENT_PID=2346; export SSH_AGENT_PID;
* Found existing gpg-agent: 2352
GPG_AGENT_INFO=/tmp/gpg-3faT29/S.gpg-agent:2352:1; export GPG_AGENT_INFO;
* Known ssh key: /home/stijn/.ssh/id_rsa-amalthea
* Known ssh key: /home/stijn/.ssh/id_rsa-athena
* Known ssh key: /home/stijn/.ssh/id_rsa-zeus
* Known ssh key: /home/stijn/.ssh/id_rsa-mnemosyne
* Known gpg key: [8 digit hex key]
However, when I open Mutt (or just try to decrypt about any GPG encrypted file), it will prompt me for the passphrase, despite the key already being cached. Passing --use-agent does not help (I also set that in ~/.gnupg/gpg.conf).
The bizarre thing being, of course, that the keychain-cached key did not get picked up, but if I enter my passphrase into the prompt I get the first time I call gpg, it does seem to get cached - I can open mutt, decrypt files, etc., it will all use that cached key.
Any tips? I get the feeling I'm missing something, but couldn't find what exactly.
Last edited by .:B:. (2011-12-06 22:25:27)

Gpg-agent by itself works fine, although I get the feeling that, a bit like sudo, there's an expiration date on the cached key - it seems I need to type the passphrase again after a few hours or so.
Either way, I'd love to get this working with keychain.

How do I configure Kwallet to manage SSH and GPG keys? [SOLVED]

I'm using a select few KDE programs (not the DE) such as Kontact (and with that KMail, Korganizer, Kaddressbook...) and Kwallet. I've got a GPG and an SSH key which I need in Git to sign commits and push. I'd like to have Kwallet manage ALL of these passwords/passphrases, (e-mail, SSH, GPG) and only be prompted for a password to unlock my wallet once per session - or better yet, have the wallet unlocked by logging in (like the keychain in OS X). I'm currently using SLiM (systemd, slim.service) as the login manager. I had a glance at this tutorial for inspiration but to no success...
This is my ~/.xinitrc:
#!/bin/sh
if [ -d /etc/X11/xinit/xinitrc.d ]; then
for f in /etc/X11/xinit/xinitrc.d/*; do
[ -x "$f" ] && . "$f"
done
unset f
fi
# Hide mouse cursor when idle
unclutter -idle 4 &
# Background image
hsetroot -fill $HOME/img/08.jpg &
# Window manager
xmonad
This is my ~/.zprofile (failed attempt, fake GPG-key name)
#!/bin/sh
# Load keychain to handle ssh and gpg keys
export SSH_ASKPASS=/usr/bin/ksshaskpass
eval `keychain --eval id_rsa 1234ABCD`
$HOME/.keychain/`hostname`-sh
$HOME/.keychain/`hostname`-sh-gpg
This is my ~/.gnupg/gpg.conf (commented lines not included)
no-greeting
require-cross-certification
charset utf-8
keyserver hkp://keys.gnupg.net
Last edited by totte (2012-10-25 10:49:52)

No success so far, really, need more ideas.
Neither of /etc/kde/env/{gpg,ssh}-agent-startup.sh seem to be run by anything automatically on my system upon boot and logging in. I tried going back to the beginning and I got GPG working alright, when signing a commit I was automatically authenticated. SSH however still prompts me by CLI to enter my passphrase when I try to git-push or ssh into a server. I set an empty password for the wallet to have it "unlocked by logging in". I thought setting "export SSH_ASKPASS='/usr/bin/ksshaskpass'" in ~/.zprofile would have it prompt for the password in some manner of Qt window related to Kwallet, but apparently it doesn't. In top both ssh-agent and gpg-agent are displayed as running - but if I run gpg-agent in Konsole I get the output "gpg-agent: no gpg-agent running in this session", ssh-agent on the other hand outputs "SSH_AUTH_SOCK=/tmp/ssh-noaDS3C4AP8M/agent.1830; export SSH_AUTH_SOCK;
SSH_AGENT_PID=1831; export SSH_AGENT_PID;
echo Agent pid 1831;".
Here's my ~/.zprofile, ~/.xinitrc, ~/.gnupg/gpg.conf, ~/.gnupg/gpg-agent.conf and ~/.zshrc (probably irrelevant but included anyway):
~/.zprofile
export EDITOR='vim'
export GIT_EDITOR='vim -fg'
export GPG_TTY=$(tty)
export GREP_COLOR='1;34'
export GREP_OPTIONS='--color=auto'
export LANG='en_GB.UTF-8'
export PAGER='less'
export PINENTRY='/usr/bin/pinentry-kwallet'
export SSH_ASKPASS='/usr/bin/ksshaskpass'
export VISUAL='vim'
~/.xinitrc
#!/bin/sh
if [ -d /etc/X11/xinit/xinitrc.d ]; then
for f in /etc/X11/xinit/xinitrc.d/*; do
[ -x "$f" ] && . "$f"
done
unset f
fi
# Kwallet
kwalletd &
# Keychain (SSH & GPG)
eval `keychain --eval id_rsa 1234ABCD` &
# Hide mouse cursor when idle
unclutter -idle 4 &
# Background image
hsetroot -fill $HOME/img/08.jpg &
# Akonadi
akonadictl start &
# Music Player Daemon
mpd &
# Window manager
xmonad
~/.gnupg/gpg.conf
no-greeting
require-cross-certification
charset utf-8
keyserver hkp://keys.gnupg.net
use-agent
~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-kwallet
no-grab
~/.zshrc (probably irrelevant)
# PATH
# System executables
PATH0="/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin"
# My executables
PATH1="$HOME/bin"
export PATH="$PATH0:$PATH1"
# COLOURS
autoload colors; colors;
eval "`dircolors -b ~/.dircolorsrc`"
# GENERAL
HISTFILE=$HOME/.zsh_history
HISTSIZE=10000
SAVEHIST=10000
setopt append_history
setopt extended_history
setopt hist_expire_dups_first
setopt hist_ignore_dups
setopt hist_ignore_space
setopt hist_verify
setopt inc_append_history
setopt share_history
setopt prompt_subst
setopt correctall
setopt auto_menu
setopt complete_in_word
setopt always_to_end
setopt extendedglob
# ALIASES
alias rezsh='. ~/.zshrc'
alias _='sudo '
alias l='ls -lh --color'
alias la='ls -lAh --color'
alias -- -='cd -'
alias ..='cd ..'
alias df='df -h'
alias g='git'
alias tmux='tmux attach'
alias cp='cp -v'
alias mv='mv -v'
alias rm='rm -v'
alias rmdir='rmdir -v'
alias d='dirs -v'
bu(){cp -v $1 ${1}.backup}
cmds(){history | awk '{print $2}' | sort | uniq -c | sort -rn | head}
md(){mkdir -p $1; cd $1}
# OS-specific aliases
if [[ $(uname) == "Darwin" ]]; then
# Mac OS X
alias pkgs='port search' # Search
alias pkgi='sudo port install' # Install
alias pkgu='sudo port selfupdate && sudo port upgrade outdated' # Update & Upgrade
alias pkgr='sudo port uninstall --follow-dependencies' # Remove package and unused dependencies
alias pkgl='port installed' # List installed packages
alias python='/usr/local/bin/python3'
alias pip='pip-3.2'
alias pips='pip-3.2 search'
alias pipi='pip-3.2 install'
alias pipu='pip-3.2 install -U'
alias pipr='pip-3.2 uninstall'
alias pipl='pip-3.2 freeze'
alias v='mvim'
elif [[ $(uname) == "Linux" ]]; then
alias pips='pip search'
alias pipi='pip install'
alias pipu='pip install -U'
alias pipr='pip uninstall'
alias pipl='pip freeze'
alias v='vim'
case $(lsb_release -d | cut -f2 | cut -d " " -f1) in
(Arch) # Arch Linux
alias equa='alsamixer -D equal'
alias pkgs='pacman -Ss' # Search
alias pkgi='sudo pacman -S' # Install
alias pkgu='sudo pacman -Syu' # Update & Upgrade
alias pkgr='sudo pacman -Rns' # Remove package, configuration backups and unused dependencies
alias pkgl='pacman -Q' # List installed packages
alias pkgd='whoneeds' # List packages depending on specified package
alias poweroff='sudo systemctl poweroff'
alias reboot='sudo systemctl reboot'
alias nw='wicd-curses'
(Debian|Ubuntu) # Debian and Ubuntu
alias pkgs='aptitude search' # Search
alias pkgi='sudo aptitude install' # Install
alias pkgu='sudo aptitude update && sudo aptitude upgrade' # Update & Upgrade
alias pkgr='sudo aptitude purge' # Remove package, configuration files and unused dependencies
alias pkgl='aptitude search -F "%p" "~i"' # List installed packages
alias reboot='sudo shutdown -r now'
alias shutdown='sudo shutdown -h now'
esac
fi
# Host-specific aliases
if [[ ${HOST:r} == "betre" ]]; then
alias poff='sudo /sbin/write-magic 0xdeadbeef && sudo /sbin/reboot'
fi
# TAB COMPLETION
autoload compinit
compinit
# Case-insensitive (all),partial-word and then substring completion
zstyle ':completion:*' matcher-list 'm:{a-zA-Z}={A-Za-z}' 'r:|[._-]=* r:|=*' 'l:|=* r:|=*'
zstyle ':completion:*:*:*:*:*' menu select
zstyle ':completion:*:cd:*' tag-order local-directories directory-stack path-directories
cdpath=(.)
# Use /etc/hosts and known_hosts for hostname completion
[ -r /etc/ssh/ssh_known_hosts ] && _global_ssh_hosts=(${${${${(f)"$(</etc/ssh/ssh_known_hosts)"}:#[\|]*}%%\ *}%%,*}) || _ssh_hosts=()
[ -r ~/.ssh/known_hosts ] && _ssh_hosts=(${${${${(f)"$(<$HOME/.ssh/known_hosts)"}:#[\|]*}%%\ *}%%,*}) || _ssh_hosts=()
[ -r /etc/hosts ] && : ${(A)_etc_hosts:=${(s: :)${(ps:\t:)${${(f)~~"$(</etc/hosts)"}%%\#*}##[:blank:]#[^[:blank:]]#}}} || _etc_hosts=()
hosts=(
"$_global_ssh_hosts[@]"
"$_ssh_hosts[@]"
"$_etc_hosts[@]"
`hostname`
localhost
zstyle ':completion:*:hosts' hosts $hosts
# KEYBINDINGS
bindkey '^[[A' history-beginning-search-backward
bindkey '^[[B' history-beginning-search-forward
bindkey "^[[H" beginning-of-line
bindkey "^[[1~" beginning-of-line
bindkey "^[OH" beginning-of-line
bindkey "^[[F" end-of-line
bindkey "^[[4~" end-of-line
bindkey "^[OF" end-of-line
# Make the delete key (or Fn + Delete on the Mac) work instead of outputting a ~
bindkey '^?' backward-delete-char
bindkey "^[[3~" delete-char
bindkey "^[3;5~" delete-char
bindkey "\e[3~" delete-char
# TITLES
tmux_title="%16<..<%~%<<"
term_tab_title="%m"
term_title="Terminal"
function title(){
if [[ "$TERM" == screen* ]]; then
print -Pn "\ek$tmux_title:q\e\\"
elif [[ $TERM == rxvt* ]] || [[ "$TERM_PROGRAM" == "iTerm.app" ]]; then
print -Pn "\e]2;$term_title:q\a"
print -Pn "\e]1;$term_tab_title:q\a"
fi
function title_precmd(){
title $tmux_title $term_tab_title $term_title
function title_preexec(){
emulate -L zsh
setopt extended_glob
local tmux_title=${1[(wr)^(*=*|sudo|ssh|-*)]}
title $tmux_title $term_tab_title $term_title
# ZSH VCS_INFO MODULE
autoload -Uz vcs_info
#zstyle ':vcs_info:*+*:*' debug true
zstyle ':vcs_info:*' enable git
zstyle ':vcs_info:git*' formats '%fon $(rou)%b%f%c%u%m'
zstyle ':vcs_info:git*' actionformats '%fon $(rou)%b%f:$(rou)%a%f%c%u%m'
zstyle ':vcs_info:git*:*' stagedstr ' (staged)'
zstyle ':vcs_info:git*:*' unstagedstr ' (unstaged)'
zstyle ':vcs_info:git*:*' get-revision true
zstyle ':vcs_info:git*:*' check-for-changes true
zstyle ':vcs_info:git*+set-message:*' hooks git-stash git-untracked
# Display count of stashed changes
function +vi-git-stash(){
local -a stashes
if [[ -s ${hook_com[base]}/.git/refs/stash ]] ; then
stashes=$(git stash list 2>/dev/null | wc -l)
if [[ $stashes > 1 ]] ; then
hook_com[misc]+=" (${stashes} stashes)"
else
hook_com[misc]+=" (${stashes} stash)"
fi
fi
# Display message if untracked files are present
function +vi-git-untracked(){
if [[ $(git rev-parse --is-inside-work-tree 2> /dev/null) == 'true' ]] && \
git status --porcelain | grep '??' &> /dev/null ; then
hook_com[unstaged]+=" (untracked files present)"
fi
function prompt_precmd(){
vcs_info
# PROMPT
# Root or user?
function rou(){
if [[ $UID -eq 0 ]] ; then
echo "%{$fg[magenta]%}"
else
echo "%{$fg[blue]%}"
fi
# Display ± if we're in a git repository and » at all other times
function prompt_character(){
git branch >/dev/null 2>/dev/null && echo '%{$fg[white]%}±%{$reset_color%}' && return
echo '%{$fg[white]%}»%{$reset_color%}'
# Set the prompt
function set_prompt(){
PROMPT="$(rou)%n %{$reset_color%}at $(rou)%m %{$reset_color%}in $(rou)%~ ${vcs_info_msg_0_}
%{$reset_color%}$(prompt_character) "
# HOOKS
autoload -U add-zsh-hook
add-zsh-hook preexec title_preexec
add-zsh-hook precmd title_precmd
add-zsh-hook precmd prompt_precmd
add-zsh-hook precmd set_prompt

Loop-aes/mount with gpg-agent

Hey,
this is not really an Arch related problem, but as this is the only forum I'm using, I'll try it here. The system I'm testing on is Debian etch. loop-aes and gpg-agent alone work fine, when I decrypt data with gpg, pinentry is called and gpg-agent stores the passphrase. I can encrypt/decrypt partitions with loop-aes using a keyfile etc. Now the problem: to decrypt encrypted partitions I want to use a keyfile which is encrypted with gpg. The fstab entry is like this:
/dev/hda10 /yyy ext3 defaults,loop=/dev/loop4,encryption=AES128,gpgkey=/root/key.asc 0 0
When I now mount /yyy, the system asks for the passphrase, but not with pinentry. So gpg-agent doesn't store the passphrase. Any ideas?

Hey,
this is not really an Arch related problem, but as this is the only forum I'm using, I'll try it here. The system I'm testing on is Debian etch. loop-aes and gpg-agent alone work fine, when I decrypt data with gpg, pinentry is called and gpg-agent stores the passphrase. I can encrypt/decrypt partitions with loop-aes using a keyfile etc. Now the problem: to decrypt encrypted partitions I want to use a keyfile which is encrypted with gpg. The fstab entry is like this:
/dev/hda10 /yyy ext3 defaults,loop=/dev/loop4,encryption=AES128,gpgkey=/root/key.asc 0 0
When I now mount /yyy, the system asks for the passphrase, but not with pinentry. So gpg-agent doesn't store the passphrase. Any ideas?

Help with gpg-agent, ssh, and pinentry-curses

I use gpg-agent to manage my ssh keys, and for a system that I regularly ssh into, I would like to use pinentry-curses instead of the default pinentry-gtk-2. However, this doesn't work.
Specifically, I start gpg-agent using script from the arch wiki, /etc/profile.d/gpg-agent.sh:
if [ $EUID -ne 0 ] ; then
envfile="$HOME/.gnupg/gpg-agent.env"
if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
eval "$(cat "$envfile")"
else
eval "$(gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")"
fi
export GPG_AGENT_INFO # the env file does not contain the export statement
export SSH_AUTH_SOCK # enable gpg-agent for ssh
fi
and have the following config files
~/.gnupg/gpg-agent.conf:
# Keyboard control
no-grab
# PIN entry program
pinentry-program /usr/bin/pinentry-curses
#pinentry-program /usr/bin/pinentry-qt4
#pinentry-program /usr/bin/pinentry-kwallet
#pinentry-program /usr/bin/pinentry-gtk-2
~/.gnupg/gpg.conf:
use-agent
~/.bashrc:
GPG_TTY=$(tty)
export GPG_TTY
Whenever I attempt to ssh using the key that's already been added to gpg-agent, I get the following message:
Agent admitted failure to sign using the key.
Permission denied (public key).
If I change my ~/.gnupg/gpg-agent.conf file to the following:
# Keyboard control
#no-grab
# PIN entry program
#pinentry-program /usr/bin/pinentry-curses
#pinentry-program /usr/bin/pinentry-qt4
#pinentry-program /usr/bin/pinentry-kwallet
pinentry-program /usr/bin/pinentry-gtk-2
then everything works fine, and I'm prompted for my passphrase when using ssh.
I've read posts having to do with a similar issue:
https://bbs.archlinux.org/viewtopic.php?id=138546
https://bugs.archlinux.org/task/29156
It looks like the difference between those and my issue is that I'm using ssh, not just gpg, and I'm not using su. In fact, if I have pinentry-curses set in gpg-agent.conf, and I try to use gpg to encrypt and decrypt a file, everything works fine. The file encrypts, and when decrypting, I am prompted by pinentry-curses for my passphrase. It's just ssh combined with pinentry-curses that gives me troubles.

I think it actually is the tty capability bug that's biting you...try adding '--without-libcap' to the pinentry-curses PKGBUILD from ABS (/var/abs/core/pinentry/) and rebuilding the package.
Scott

[SOLVED] gpg-agent and the magical passphrase

Hey fellas,
I encountered a strange problem. I just copied my gpg and my ssh keys to my laptop
to use them with gpg-agent.
So I setup gpg-agent as described in the wiki, did a ssh-add, entered my ssh-key and
specified a new passphrase (test). "ssh-add -l" looked good, but ...
After that I tried to ssh to some of my server, gpg-agent asked for the passphrase, but it seemed i misstyped "test" .... misstyped it again .... and so on, i tired every fuckin password i got, readded the key etc.
But nothin helped, even the debug-level guru wasnt helpful.
What could be wrong?
Best regards,
b52
Last edited by b52 (2010-02-15 14:55:04)

If got the same Problem.
Tried a lot but nothing worked it out.
ssh-add ask for passphrase of Key and after this for passphrase for the Keyring through my pinetry program.
But after re-entering the passphrase it won't work.
Seems to be a bug !?
(PS: I am using Gentoo)

[SOLVED] a problem with gpg-agent and ssh keys

I'm baffled by a strangle problem:
My setup is as follows: I use gpg-agent with --enable-ssh-support, so that my ssh keys are handled by it. All was fine (when I ssh'ed to another machine, a pinentry window popped up, asked for a password, and if I entered the correct one, gpg-agent would decrypt its copy of my private ssh key and use it for identification). But: I needed to change my ssh key, and so I generated a new one. Next, I ssh-add'ed it to gpg-agent (one password to decrypt the private key, then twice another password for gpg-agent). I uploaded the public key to a server. The setup should be complete.
The problem is that when I ssh to a machine, a pinentry window comes up, but it does not accept my password (the one that I entered twice when ssh-add'ing the key). I tried adding with various different passwords (always deleting ~/.gnupg/private-keys-v1.d/*, since 'ssh-add -d ~/.ssh/id_rsa.pub' would not work for some reason - it would not make gpg-agent forget the key), different pinentry programs ( -qt4, -gtk-2, -curses), and still the same problems. Pinentry itself seems to work fine, since if I enter two different things when it asks for a new passphrase for the key, it detects that there's a problem.
So, can anyone help? What could I try (please don't post just to say that I could/should use ssh-agent, or keychain, or anything else. I have used various things, and I like this setup the most. It worked before, and I would like to find out why it stopped working and how to get it back to speed.)
Thanks.
Last edited by bender02 (2010-02-15 09:52:54)

Thats a known bug with the new gpg version.
http://lists.gnupg.org/pipermail/gnupg- … 38045.html
You could use an older version of gpg or use a development version.

SSH Key login not working when added to gpg-agent

Hello,
As I use gnupg, I run the gpg-agent. I run it with systemd --user and it works flawlessly. As I already run gpg-agent, I figured I might as well just add my ssh keys to it as well. Therefore I start gpg-agent with --enable-ssh-support. I use my SSH keys a lot and never had any problems with connecting to anything with a simple ssh .... or pushing things to git etc.
As the SOCKS_AUTH_SSH envvar needs to be set for ssh-add to work, I added this line to my .bashrc
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
Now, adding my SSH Keys with a simple ssh-add seems to work fine (no errors etc).
However, when I try to connect to a server now, the following happens:
ssh -vT [email protected]
OpenSSH_6.8p1, OpenSSL 1.0.2a 19 Mar 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to XXXXXXXXX port XXXXX.
debug1: Connection established.
debug1: identity file /home/XXXXX/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/XXXXX/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.8
debug1: match: OpenSSH_6.8 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Mw5MTDp91yExgStdoMPMwi2yZdoG9MruOm+6XiC5Vks
debug1: Host '[XXXXXXX]:XXX' is known and matches the ECDSA host key.
debug1: Found key in /home/XXXX/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/XXXXX/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: No more authentication methods to try.
Permission denied (publickey).
Which is very strange as id_rsa is my (ecrypted) private key. I am also prompted to enter the corresponding password when issuing ssh-add.
What could the problem be in this case? Thanks a lot!!
Last edited by replax (2015-05-18 19:06:58)

replax wrote:Well, there is something listed in .gnupg/sshcontrol , I am not sure if it is connected to my own key though. I tried ssh-add -l and it will list my one key, although it is different from the one in sshcontrol. I suspect that that is an issue of presentation though, as ssh-add spews out the SHA256 of my key..
How could I go about verifying that they key is indeed correct? Shouldn't it be added automatically by ssh-add?
Thanks a lot!!
Yes it should be added automatically. I suppose you could try it in a new user just to start fresh and see if it works, at least then you'll have either verified that your steps were correct or incorrect.

Gpg-agent is mysteriously started by systemd

So I recently switched from initscripts to systemd. Now when I use SSH, gpg-agent tries to save my passwords, but I can't figure out how it got started.
It's definitely running, started by systemd (or at least, orphaned such that it is parented on systemd):
$ ps aux | grep gpg-agent
aogier 405 0.0 0.1 5436 1352 ? Ss 07:30 0:00 /usr/bin/gpg-agent --sh --daemon --enable-ssh-support --write-env-file /home/aogier/.cache/gpg-agent-info
$ pstree
systemd─┬─...
├─gpg-agent───scdaemon
├─...
But I can't find out why systemd feels the need to start it, the following all turn up empty:
$ systemctl list-units --all | grep gpg
$ systemctl list-unit-files --all | grep gpg
$ grep gpg -r /etc/systemd
$ grep gpg -r /usr/lib/systemd
My guess is something is starting gpg-agent and orphaning it, but why it's started in daemon mode with ssh support is beyond me. It gets in the way of my ssh-agent usage, and it disturbs me (a week ago I removed a SSH private key from my computer, only to find today that I could still authenticate using it because gnupg held onto it -- ick).
Anyone know what the problem could be? Maybe XFCE or LXDM?

Clueless wrote:
So I recently switched from initscripts to systemd. Now when I use SSH, gpg-agent tries to save my passwords, but I can't figure out how it got started.
It's definitely running, started by systemd (or at least, orphaned such that it is parented on systemd):
$ ps aux | grep gpg-agent
aogier 405 0.0 0.1 5436 1352 ? Ss 07:30 0:00 /usr/bin/gpg-agent --sh --daemon --enable-ssh-support --write-env-file /home/aogier/.cache/gpg-agent-info
$ pstree
systemd─┬─...
├─gpg-agent───scdaemon
├─...
But I can't find out why systemd feels the need to start it, the following all turn up empty:
$ systemctl list-units --all | grep gpg
$ systemctl list-unit-files --all | grep gpg
$ grep gpg -r /etc/systemd
$ grep gpg -r /usr/lib/systemd
My guess is something is starting gpg-agent and orphaning it, but why it's started in daemon mode with ssh support is beyond me. It gets in the way of my ssh-agent usage, and it disturbs me (a week ago I removed a SSH private key from my computer, only to find today that I could still authenticate using it because gnupg held onto it -- ick).
Anyone know what the problem could be? Maybe XFCE or LXDM?
Have you check if it's not started in /etc/profile.d/ ?

GPG-AGENT "ignoring" pinentry program? wrong pinentry app for ssh-keys

Hi!
I am using gpg-agent to handle my gpg keys and wanted it to handle my ssh keys too, since it is running anyway.
it works perfectly fine with gpg keys, my pinentry program is pinentry-qt4 , upon request that window pops up for me to enter my passphrase.
as window manager i use awesome wm.
however, when i try to use my ssh key, e.g. for github, no pinentry program pops up and in xterm it looks like:
[me@mybox dotfiles]$ git push origin master
it seems that is is waiting for my passphrase input but it isnt asking for it. neither does it accept it.
when i quit my WM, i see that it executed the pinentry program directly in my tty1, to which i do not have access while running my WM.
my gpg-agent.conf:
me@mybox ~/.gnupg> cat gpg-agent.conf
default-cache-ttl 300
max-cache-ttl 7200
pinentry-program /usr/bin/pinentry-qt4
how do i get gpg-agent to respect my pinentry choice for my ssh keys as well?
thanks for your time !

I use this
$ cat /etc/kde/env/gpg-agent-startup.sh
#!/bin/sh
# see https://wiki.archlinux.org/index.php/SSH_Keys
GPG_AGENT=/usr/bin/gpg-agent
## Run gpg-agent only if not already running, and available
if [ -x "${GPG_AGENT}" ] ; then
# check validity of GPG_SOCKET (in case of session crash)
GPG_AGENT_INFO_FILE=${HOME}/.gpg-agent-info
if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
GPG_AGENT_PID=`cat ${GPG_AGENT_INFO_FILE} | grep GPG_AGENT_INFO | cut -f2 -d:`
GPG_PID_NAME=`cat /proc/${GPG_AGENT_PID}/comm`
if [ ! "x${GPG_PID_NAME}" = "xgpg-agent" ]; then
rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
else
GPG_SOCKET=`cat "${GPG_AGENT_INFO_FILE}" | grep GPG_AGENT_INFO | cut -f1 -d: | cut -f2 -d=`
if ! test -S "${GPG_SOCKET}" -a -O "${GPG_SOCKET}" ; then
rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
fi
fi
unset GPG_AGENT_PID GPG_SOCKET GPG_PID_NAME SSH_AUTH_SOCK
fi
if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
eval "$(cat "${GPG_AGENT_INFO_FILE}")"
eval "$(cut -d= -f 1 "${GPG_AGENT_INFO_FILE}" | xargs echo export)"
export GPG_TTY=$(tty)
else
eval "$(${GPG_AGENT} -s --enable-ssh-support --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file)"
fi
fi
I think I could probably use the /etc/profile.d location but when I first set it up, kde was already running gpg-agent so I adapted its file. Later, I uninstalled the thing which does that in kde and just kept my own customised version.
Are you sure that your xinitrc isn't starting a second gpg-agent?

Gpg-agent with systemd

Hey!
I am a novice Arch user and I am having problems with the latest gpg distribution when used with systemd and ssh-support. Currently, I am using i3 with lightdm, and I am using systemd to start gpg-agent with ssh support. Specifically, I have the following gpg-agent.service file in my ${HOME}/.config/systemd/user/ directory:
[Unit]
Description=gpg-agent Daemon with SSH Support
[Service]
Type=forking
ExecStart=/usr/bin/gpg-agent --quiet --daemon --enable-ssh-support
Restart=on-success
[Install]
WantedBy=default.target
which is expected to restart when exited properly and/or due to a signal. When I enable and start the service with systemctl --user prefix, it works as it is supposed to be. I have the following gpg-agent.conf file:
default-cache-ttl 600
default-cache-ttl-ssh 3600
max-cache-ttl 7200
max-cache-ttl-ssh 7200
enforce-passphrase-constraints
min-passphrase-len 10
min-passphrase-nonalpha 4
max-passphrase-days 180
pinentry-program /usr/bin/pinentry-curses
and the following excerpt in my .zshrc:
# GPG configuration
# Check for the gpg-agent socket, and set SSH_AUTH_SOCK and GPG_TTY
# environment variables accordingly:
if [[ -S "${HOME}/.gnupg/S.gpg-agent.ssh" ]]; then
export GPG_TTY=$(tty)
if [[ ${SSH_AUTH_SOCK} != "${HOME}/.gnupg/S.gpg-agent.ssh" ]]; then
export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
fi
fi
The problem is, everything is working properly except for one thing: "When I want to ssh to my server, I get an 'Agent admitted failure to sign using the key' error." I mean, the environment variables seem to be fine when I fire up a zsh session (terminal emulator) and/or everything seems ok when I issue systemctl --user status gpg-agent, but I cannot ssh to my server using my gpg-key. However, when I stop the systemd unit and just issue eval $(gpg-agent --quiet --daemon --enable-ssh-support) in a new terminal emulator, ssh works fine. In both of the aforementioned versions, when I issue gpg --clearsign some_file.txt command, I am asked in the terminal emulator for my password (I suppose in the so called curses pinentry program).
I thank you in advance for your time, and appreciate any suggestions. Best,

You might need to make a script to start it. Like "/usr/local/bin/gpg-agent-daemon.zsh"
then in that file have:
#!/usr/bin/zsh
gpg-agent --quiet --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info"
And do chmod +x
And in your gpg-agent.service file:
[Service]
Type=forking
ExecStart=gpg-agent-daemon.zsh
<...>
And then in $ZDOTDIR/.zprofile
# GPG configuration
# Check for the gpg-agent socket, and set SSH_AUTH_SOCK and GPG_TTY
# environment variables accordingly:
if [[ -S "${HOME}/.gnupg/S.gpg-agent.ssh" ]]; then
export GPG_TTY=$(tty)
export GPG_TTY
if [[ ${SSH_AUTH_SOCK} != "${HOME}/.gnupg/S.gpg-agent.ssh" ]]; then
export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
fi
if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"
export GPG_AGENT_INFO
fi
fi

[SOLVED] Thunderbird & Enigmail: Using gpg-agent to cache key

Hi,
I set up Thunderbird with Enigmail to encrypt my emails.
However, I do not want to enter my password EVERYTIME I want to read an encrypted email. A quick tab change etc. gets annoying, so I wanted to set-up a time out of 10min.
Also, I want to use gpg-agent for that (unless there are by far better options), as I could also manage my SSH keys with that (haven't look into it yet, though)
What I have done:
- Installed TB & Enigmail, gerated keypair, uploaded to keyserver, tried it with a friend (works)
- Added gpg-agent startupscript to xinitrc, verified that it runs on x startup (also writes env file so it will only run once, even if x is started multiple times)
- In enigmail settings selected to use gpg-agent
- Checked gpg-agent cache timeout (set to 300sec (default-cache-ttl))
Problem:
Thunderbird/Enigmail still promts for my passphrase everytime I want to view an encrypted email, even when I quickly switch tabs..
I would really appreciate some pointing into the right directioin/help on how to ideally solve this problem.
Thanks for your time
Last edited by replax (2013-07-31 09:04:03)

I guess you mean: OpenPGP->Preferences->Passphrase Settings
These settings do not apply because it only works when the passphrase handling is done by enigmail/TB. It also gives you a warning, that, if you use gpg 2.0 or later you have to use gpg-agent for passphrase handling and have to set the cache time in the agent itself somehow.
EDIT: Seems to have gotten it to work, I simply added a pinentry-program to the gpg-agent.conf (qt4 version). Strange though, as it should use the gtk entry program by default....
Is this a feature or a bug? Or is it special in the arch package, e.g. compiled with no default or something like that?

Script to clear cached gpg-agent passphrase?

Hello,
I recently setup enigmail with thunderbird so I can sign and encrypt email. I had an issue with the passphrase being cached by seahorse, and was unable to find a setting to change the time. Doing a lot of searching I found that setting "use-agent" in ~/.gnupg/gpg.conf and setting appropriate timeouts in ~/.gnupg/gpg-agent.conf was supposed to work. But after many, many failed attempts, I switched from gnome to xfce and got rid of seahorse (probably making this far more complicated than I needed to, but I like xfce, too). As soon as I did that the timeouts I set in gpg-agent.conf started working correctly. Currently using 300 seconds. I would like to extend this time to 10 or 20 minutes to save the password hassle while going through emails, but would like an "easy" way to clear the cached passphrase when I'm finished. I always lock my desktop when I'm away, but would prefer to know my signature and key passphrase is no longer cached when I get up.
I found this in the kde wiki:
killall gpg-agent -stops all instances
eval "$(gpg-agent --daemon)" -will restart the agent
gpg-agent status -should tell you if the agent is running.
If I execute eval "$(gpg-agent --daemon)" nothing seems to happen, I can click any message and it decrypts without asking for my passphrase (as long as the 5 minute timeout hasn't expired of course).
If I kill gpg-agent, and then use eval "$(gpg-agent --daemon)" to start it back up, when I click on an encrypted message in thunderbird I get this error in the signature banner "Error - signature verification failed; click on 'Details' button for more information"
OpenPGP security info reveals the following:
Error - signature verification failed
gpg command line and output:
/usr/bin/gpg
can't connect to `/tmp/gpg-ZoVzCT/S.gpg-agent': No such file or directory
gpg: can't connect to `/tmp/gpg-ZoVzCT/S.gpg-agent': connect failed
gpg: can't query passphrase in batch mode
gpg: Invalid passphrase; please try again ...
gpg: can't query passphrase in batch mode
gpg: Invalid passphrase; please try again ...
gpg: can't query passphrase in batch mode
gpg: encrypted with 4096-bit RSA key, ID XXXXXXX, created 2012-XXXX
"XXXXXX <XXXXXX>"
gpg: encrypted with 4096-bit RSA key, ID XXXXXXX, created 2012-XXXX
"XXXXXX <XXXXXX>"
gpg: public key decryption failed: bad passphrase
gpg: decryption failed: secret key not available
Restarting thunderbird doesn't help. Restarting the computer fixes it. It looks like when gpg-agent starts it creates a gpg-RANDOM temp directory, and when I restart it that changes, but enigmail doesn't pick this up even after restarting thunderbird. How does it figure it out on a fresh start?
Is there anyway to simply clear the gpg-agent cached passphrase and then be able to use it again (supply the password) without having to restart the computer?
Thanks!

Send a SIGHUP signal to the gpg-agent process. This will clear all stored passphrases.
pkill -SIGHUP gpg-agent

Kmail and gpg-agent

Similar Messages

Maybe you are looking for