Sirs.

2024-05-02 Thread Richard Bostrom via Gnupg-users 
Clearsign not working on new debian install. NisT-P21.
encryption/ decryption works. Hej.

Yours sincerely
Richardh Bostrom___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG crypted RSA key for SSH

2024-05-02 Thread Werner Koch via Gnupg-users 
On Thu,  2 May 2024 15:31, Matthias Apitz said:

> which locks the card again. Any ideas?

If you really want to reset the card after an operation _and_ you are
using pcscd you can use

  gpg-connect-agent 'scd disconnect' /bye

But killing scdaemon is probably the easier and more reliable way:

  gpgconf -K scdaemon

does this by sending the kill command

  gpg-connect-agent 'scd killscd' /bye

Some card applications require a VERIFY command (i.e. asking for the
PIN) for each operation.  An OpenPGP card does this only for the signing
key and only if that feature has been enabled (force command of
--card-edit).  Remember that there is no PIN cache[1] but the card
application tales the descision when and how often a PIN is required
after power up (of the card).

If you only want to be asked whether the ssh-key shall be used, you can
put a line

  Confirm: yes

into the private-keys-v1.d/.key file of the AUTH (shadow-)key:

  *** Confirm
  If given and the value is "yes", a user will be asked confirmation by
  a dialog window when the key is about to be used for
  PKSIGN/PKAUTH/PKDECRYPT operation.  If the value is "restricted", it
  is only asked for the access through extra/browser socket.


Shalom-Salam,

   Werner



[1] Actually there is a PIN cache to allow a Yubikey to switch between
the OpenPGP and PIV appications back anf forth without requiring a PIN
after each switch.  A sample use-case is sending PGP signed mails and
also using a browser or IMAP server with user certificate based
authentication.

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG crypted RSA key for SSH

2024-05-02 Thread Werner Koch via Gnupg-users 
On Thu,  2 May 2024 16:58, Matěj Cepl said:

> rather dubious: systemd can certainly manage a dependence on
> shared resource, and concurrent running of two processes at

Right.  However, systemd does not use the same locking scheme as gnupg
uses to avoid duplicate daemon startup.  The gnupg internal startup of
required daemons has been there before systemd was invented and it needs
to work on all platforms - not just on Linux.  Having different schemes
here is major problem but the former Debian maintainer (dkg) promised to
take care of all problems due to his patches which added that systemd
startup (--supervised) feature.

Given that history I consider it unlikely that Debian will ever provide
an enhanced ssh version which can be configured to start its ssh-agent
on connection failure.  Thus we need to keep on using the
updatestartuptty thing when using a curses pinentry or a remote X
session.

The updatestartup thing does actually two things: Make sure that
gpg-agent is launched (most other commands will do this also) and, more
important, to tell gpg-agent something about the current environment
(GPG_TTY, DISPLAY, etc).  I have a patch somewhere to extend the
ssh-agent-protocol to convey envvars but more or less forgot about it.
it would be a useful things also for other ssh-agent's

> I still haven’t investigated this piece of Werner’s advice:
>
>> Using no-autostart in the common.conf might be useful.  We use it always
>> when running a remote gpg.

That is easy: On a remote box you don't want to run gpg-agent because
this shall instead be handled by ssh socket forwarding.  Without such an
option running gpg might start gpg-agent on the remote box and thus take
over the forwarded socket.  Instead of adding "no-autostart" to all
config files of gnupg, adding this to common.conf will be sufficient.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG crypted RSA key for SSH

2024-05-02 Thread Matěj Cepl via Gnupg-users 
On Thu May 2, 2024 at 3:55 PM CEST, Ming Kuang via Gnupg-users wrote:
> https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066957.html
> https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066960.html

Just for the record, I find the explanation in the later email
rather dubious: systemd can certainly manage a dependence on
shared resource, and concurrent running of two processes at
once. My deep suspicion is that we have here just a little
case of the NIH syndrome (plus, a lack of understanding of
containerized systems like my MicroOS).

I still haven’t investigated this piece of Werner’s advice:

> Using no-autostart in the common.conf might be useful.  We use it always
> when running a remote gpg.

Best,

Matěj

-- 
http://matej.ceplovi.cz/blog/, @mcepl@floss.social
GPG Finger: 3C76 A027 CA45 AD70 98B5  BC1D 7920 5802 880B C9D8
 
In political activity men sail a boundless and bottomless sea;
there is neither harbor for shelter nor floor for anchorage,
neither starting point nor appointed destination.
   -- Michael Oakeshott: Rationalism in Politics



E09FEF25D96484AC.asc
Description: application/pgp-keys


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG crypted RSA key for SSH

2024-05-02 Thread Matthias Apitz 
> I run the L5 with its OpenPGP card sind 2021 and I don't remember the
> exact setup now. In any case, gpg-agent is there after any reboot.
> 

One issue remains with the now working OpenPGP card for SSH: When the
correct PIN was provided the card remains unlocked, regardless if or not
the SSH session was successful. This is a security problem: On mobile
theft all gpg files are open. Until now I only used the pass command from
password-store and added at its end:

purism@pureos:~$ tail -4 /usr/bin/pass
#
gpgconf --reload scdaemon
sleep 2
exit 0

which locks the card again. Any ideas?

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia.
Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG crypted RSA key for SSH

2024-05-02 Thread Matthias Apitz 
El día jueves, mayo 02, 2024 a las 08:13:12 -0400, Henning Follmann escribió:

> On Thu, May 02, 2024 at 01:58:37PM +0200, Matthias Apitz wrote:
> > 
> > gpg-agent was always there, started by system boot.
> 
> Are you certain? Did you change that at some point? Because if you use the
> default pureOS it doesn't. Just say'n

Yes. It gets started by systemd (proc 719 here) at boot time:

root@pureos:/home/purism# ps axl | grep gpg-agent | grep -v grep
0  10002246 719  20   0  83436  5312 do_sel SLs  ?  0:01 
/usr/bin/gpg-agent --supervised
root@pureos:/home/purism# ps axl | grep 719 | head -1
4  1000 719   1  20   0  16440  8448 do_epo Ss   ?  0:02 
/lib/systemd/systemd --user

I run the L5 with its OpenPGP card sind 2021 and I don't remember the
exact setup now. In any case, gpg-agent is there after any reboot.

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia.  Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG crypted RSA key for SSH

2024-05-02 Thread Henning Follmann 
On Thu, May 02, 2024 at 01:58:37PM +0200, Matthias Apitz wrote:
> El día jueves, mayo 02, 2024 a las 07:44:04 -0400, Henning Follmann escribió:
> 
> > On Thu, May 02, 2024 at 10:33:15AM +0200, Matthias Apitz wrote:
> > > El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via 
> > > Gnupg-users escribió:
> > > 
> > 
> > and because gpg-agent does not usually run as deamon make shure it is
> > running before you use ssh
> > 
> > gpgconf --launch gpg-agent
> 
> gpg-agent was always there, started by system boot.

Are you certain? Did you change that at some point? Because if you use the
default pureOS it doesn't. Just say'n

> 
> > 
> > 
> > You also could add that to your .bashrc
> 
> The missing piece to get it working now was tell gpg-agent the correct
> TTY with:
> 
> gpg-connect-agent updatestartuptty /bye
> 
> which perhaps gpg command does, but ssh can't.
> 
> Thanks for all the hints I got.
> 
> 
>   matthias
> 
> -- 
> Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
> Public GnuPG key: http://www.unixarea.de/key.pub
> 
> I am not at war with Russia.  Я не воюю с Россией.
> Ich bin nicht im Krieg mit Russland.
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
Henning Follmann   | hfollm...@itcfollmann.com


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG crypted RSA key for SSH

2024-05-02 Thread Matthias Apitz 
El día jueves, mayo 02, 2024 a las 07:44:04 -0400, Henning Follmann escribió:

> On Thu, May 02, 2024 at 10:33:15AM +0200, Matthias Apitz wrote:
> > El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via 
> > Gnupg-users escribió:
> > 
> > > ...
> > > On Linux take care to add "enable-ssh-support" to gpg-agent.conf because
> > > on some distros the X config greps for this to decide whether to start
> > > the ssh-agent or leave this to gpg-agent.  Technically the ssh support is
> > > always enabled and thus the option is not really required.
> > 
> [deleted]
> 
> I do not know what you did, but that looks like a mess
> Your pinentry was working before (I guess) and you should not change
> anything there.
> 
> And there is no need for using trace - way too complicated!
> 
> as Werner said add 
> 
> enable-ssh-support
> 
> to your ~/.gnupg/gpg-agent.conf

I have had this in that file (as I said in my last mail)

> You might also create a ~/.gnupg/sshcontrol and add the keygrip of your
> authentication subkey in there
> 
> and then finally tell ssh where to find the ssh-agnet socket. gpg will tell
> you that by:
> 
> gpgconf --list-dirs agent-ssh-socket
> 
> just put 
> 
> export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

I have had this too.

> 
> in your ~/.bashrc
> 
> and because gpg-agent does not usually run as deamon make shure it is
> running before you use ssh
> 
> gpgconf --launch gpg-agent

gpg-agent was always there, started by system boot.

> 
> 
> You also could add that to your .bashrc

The missing piece to get it working now was tell gpg-agent the correct
TTY with:

gpg-connect-agent updatestartuptty /bye

which perhaps gpg command does, but ssh can't.

Thanks for all the hints I got.


matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia.  Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG crypted RSA key for SSH

2024-05-02 Thread Henning Follmann 
On Thu, May 02, 2024 at 10:33:15AM +0200, Matthias Apitz wrote:
> El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via 
> Gnupg-users escribió:
> 
> > ...
> > On Linux take care to add "enable-ssh-support" to gpg-agent.conf because
> > on some distros the X config greps for this to decide whether to start
> > the ssh-agent or leave this to gpg-agent.  Technically the ssh support is
> > always enabled and thus the option is not really required.
> 
[deleted]

I do not know what you did, but that looks like a mess
Your pinentry was working before (I guess) and you should not change
anything there.

And there is no need for using trace - way too complicated!

as Werner said add 

enable-ssh-support

to your ~/.gnupg/gpg-agent.conf

You might also create a ~/.gnupg/sshcontrol and add the keygrip of your
authentication subkey in there

and then finally tell ssh where to find the ssh-agnet socket. gpg will tell
you that by:

gpgconf --list-dirs agent-ssh-socket

just put 

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

in your ~/.bashrc

and because gpg-agent does not usually run as deamon make shure it is
running before you use ssh

gpgconf --launch gpg-agent


You also could add that to your .bashrc


-H



-- 
Henning Follmann   | hfollm...@itcfollmann.com


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG crypted RSA key for SSH

2024-05-02 Thread Matthias Apitz 
El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via Gnupg-users 
escribió:

> ...
> On Linux take care to add "enable-ssh-support" to gpg-agent.conf because
> on some distros the X config greps for this to decide whether to start
> the ssh-agent or leave this to gpg-agent.  Technically the ssh support is
> always enabled and thus the option is not really required.

I have this working now already up the point that ssh asks the gpg-agent
to unlock the card and ask for the PIN to do so. But this is failing
because gpg-agent uses:

$ grep pinentry agent.tr
4692  execve("/usr/bin/pinentry", ["pinentry", "--display", ":0"], 
0xa8004be0 /* 41 vars */) = 0
which fails with an unsupported ioctl to fd=0

while a command 'gpg -d foo.asc' works fine, and here gpg-agent uses

$ grep pinentry agent-gpg.tr
4997  read(10, "OPTION allow-pinentry-notify\n", 1002) = 29
4997  write(7, "chan_10 <- OPTION allow-pinentry"..., 40) = 40
5001  execve("/usr/bin/pinentry", ["pinentry"], 0xa80016d0 /* 41 vars */) = 0

i.e. the pinentry command without --display ...

my config file for gpg-agent look as:

$ cat .gnupg/gpg-agent.conf
enable-ssh-support
debug-pinentry
debug ipc
log-file /tmp/gpg-agent-debug.log
max-cache-ttl 1
# pinentry-program /usr/bin/pinentry

I tried to play with the config value of pinentry-program without luck.
The environment of the gpg-agent contains:

GNUPGHOME=/home/purism/.gnupg
GPG_TTY=not a tty

Any idea how to get gpg-agent asking correctly for the PIN?

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia.  Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using a GnuPG crypted RSA key for SSH

2024-05-02 Thread Werner Koch via Gnupg-users 
On Wed,  1 May 2024 11:50, Henning Follmann said:

> Well, if you have a authentication subkey on your card you could use that
> for ssh authentication directly.
> Your gpg-agent would then act as ssh-agent.

I would even claim that this is the best way to work with ssh - I do
this now for nearly 20 years:

  Noteworthy changes in version 1.9.16 (2005-04-21)
  -

  * gpg-agent does now support the ssh-agent protocol and thus allows
to use the pinentry as well as the OpenPGP smartcard with ssh.

This even works on Windows as a preplcement of pageant and more recently
ofbthe native OpenSSH Windows client.

On Linux take care to add "enable-ssh-support" to gpg-agent.conf because
on some distros the X config greps for this to decide whether to start
the ssh-agent or leave this to gpg-agent.  Technically the ssh support is
always enabled and thus the option is not really required.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users