Re: GnuPGv2 & 'pinentry' on Linux w/ remote access
Quoting Ryan Beethe (r...@splintermail.com): > I also was frustrated with how GPG pinentry worked by default. > What I did was write a custom pinentry wrapper, which I call rpinentry. > It just dispaches either the curses-based pinentry or a gui pinentry > based on the environment variable PINENTRY_USER_DATA which is read by > gpg and passed to the pinentry program I remembered i never followed up on this thread anymore. Mostly because i had to make sure the setup now works as intended. And it does. Ryan, thank you so much for the pinentry wrapper idea / env-vars trick. I still think it's a stupendous amount of effort to make this work but at least it does. From vim, from mutt, from Ansible, on my urxvt terminals, through ssh, anything that needs my GPG key(s) can now prompt me for passwords. Thanks a bundle. For the mailinglist archives, see the previous post(s) by Ryan in this thread for a working solution to this problem! Regards, -Sndr. -- | aibohphobia - fear of palindromes. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPGv2 & 'pinentry' on Linux w/ remote access
Quoting Ryan Beethe (r...@splintermail.com): > Well... it happens that when I copy your script to my archlinux > machine, everything works fine. Are you sure your key wasn't already unlocked in the gpg-agent? > It also happens that when I copy your script into my ubuntu machine, I > had to change both references of `gpg` to `gpg2`, [ .. ] Yes, thanks for that hint but it is not my case. I made the deliberate step and now only use GnuPG 2.x > Personally, I use a plugin (https://github.com/jamessan/vim-gnupg) and > I have never had problems. Then in my ~/.vimrc, I just had to set: > let GPGUsePipes=1 > let GPGDefaultRecipients=['my.em...@address.com'] Wow! Quite some code for decrypting a file! I'll give it a shot after i learn how to use that beast. Rgds, Sndr. -- | It’s hard to explain puns to kleptomaniacs | because they always take things literally. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPGv2 & 'pinentry' on Linux w/ remote access
Quoting Ryan Beethe (r...@splintermail.com):
> I think my setup might be almost a drop-in fix for your gpg-over-ssh
> issue, although you will have to figure out where to set the
> environment variable for your particular window manager.
Thanks for your tips and tricks. It's the less bodgy version of the
"wrapper" i wrote. I've adapted them to my system and it seems this is
actually working for the remote-ssh-on-a-system-running-X issue.
However; i still can't use 'gpg -qd' in vim like so:
| augroup GPGEncrypted
| au!
| au BufReadPre,FileReadPre *.asc,*.gpg set viminfo=
| au BufReadPre,FileReadPre *.asc,*.gpg set noswapfile
| au BufReadPre,FileReadPre *.asc,*.gpg set bin
| au BufReadPre,FileReadPre *.asc,*.gpg let ch_save = |set ch=2
| au BufReadPost,FileReadPost*.asc,*.gpg '[,']!gpg -qd 2> /dev/null
| au BufReadPost,FileReadPost*.asc,*.gpg set nobin
| au BufReadPost,FileReadPost*.asc,*.gpg let = ch_save|unlet ch_save
| au BufReadPost,FileReadPost*.asc,*.gpg execute ":doautocmd
BufReadPost " . expand("%:r")
| au BufReadPost,FileReadPost*.asc,*.gpg set ff=unix
| au BufWritePre,FileWritePre*.asc,*.gpg '[,']!gpg -ae 2>/dev/null
| au BufWritePost,FileWritePost *.asc,*.gpg u
| augroup END
It seems pinentry(-curses) doesn't want to start from within vim.
Do you also have any brilliant ideas there?
Rgds,
Sndr.
--
| Cat, n.: Lapwarmer with built-in buzzer.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPGv2 & 'pinentry' on Linux w/ remote access
Quoting Werner Koch (w...@gnupg.org): > > It's rather cumbersome and very dodgy at least. How do others deal with > > this? Or is everyone using GPG solely in GUI environments nowadays? ;) > The current develppment version of Pinentry uses this info on Linux to > to show the process name in the titlebar. Thanks for your insights and continued efforts to keep our data safe! Could you elaborate on the 'why' part of this enforced pinentry usage with GnuPG? It wasn't mandatory in 1.x, now it's forced on us. Where did that come from? What problem did it solve? Thanks again, -Sndr. -- | Bakers trade bread recipes on a knead to know basis. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPGv2 & 'pinentry' on Linux w/ remote access
Hi! Some time ago in March i was asking about the way the pinentry works and i have not yet been able to get this working properly. I have this vim macro that automatically decrypts and encrypts files named .gpg. I use this in a terminal through SSH on my server and it basically pipes a buffer through 'gpg -qd' and 'gpg -ae'. Recently upgraded that server, and now this does not work anymore. GPG just exists stating 'No secret key' while running that exact command on the shell pops up the pinentry thingy and works fine. Another situation (still) is my PC at work. It has my X session running mostly always. I access it through SSH too with the same user account and like to work there, but i can't do anything with GPG on a remotely connected shell to this machine: The pinentry will consistently pop up on the X display on that machine instead of the controlling tty (my ssh) requesting the decryption. I've had varying success with exporting GPG_TTY and updatestartuptty, usually having to restart gpg-agent. To try and keep this workable i ended up wrapping gpg in a script that sets GPG_TTY, kills all gpg-agent, starts it, runs gpg... Then when a tool is not using the wrapper this results in pinentry plopping up on terminals where i did not expect them, but it is the terminal i last used the wrapper in. It's rather cumbersome and very dodgy at least. How do others deal with this? Or is everyone using GPG solely in GUI environments nowadays? ;) Any insights welcome! Sorry for the ranty mail. I'm a nice guy. Really. Rgds, Sndr. -- | Rookworst zonder 'r' is ook worst! | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPGv2 & 'pinentry' on Linux w/ remote access
Quoting Peter Lebbing (pe...@digitalbrains.com): > > | GPG_TTY=$(tty) > > | export GPG_TTY > > | eval $(gpg-agent --daemon) > This is the style for GnuPG 2.0, not for 2.1. 2.1 uses a standard > socket location and the OpenPGP part of the agent will Just Work(tm). > You still need something for the SSH part, and for GnuPG v1 if you > want to have that use the agent. Thanks for your detailed answer, Peter! Indeed the pain seems to start with 'enable-ssh-support' and actually using that interface. It all seems a bit cumbersome with the updatestartuptty business, broken terminals and other foo. Unfortunately. It would have been nice if this actually worked well. ;-) Currently i *don't* start a "session" gpg-agent on my work station, i leave starting it to whatever needs it and then it keeps on running. This works flawlessly it seems even when connecting remotely through SSH. I only do terminal based GPG interaction... > If you need the agent for GnuPG v1 [ .. ] No, i've committed to 'upgrading' to v2 :-) > Finally, there is the TTY issue. gpg will pass the TTY (or DISPLAY) it > is running on to the agent, so the pinentry pops up on the TTY/DISPLAY > where the invoking gpg was running. Unfortunately, SSH has no facility > for that, so the pinentry pops up on the "startup TTY". When I'm using > SSH from a terminal running on my graphical X session, it turns out > just fine: pinentry-gtk-2 pops up on my X screen. When I'm connecting > remotely, it goes wrong. Now i read this, it makes sense that ssh isn't properly interfacing with gpg-agent to make this operation seamless. Has anyone dared submitting an API-patch to Theo yet? ;-)) > Personally before I SSH from a remote session[1], I run: > gpg-connect-agent updatestartuptty /bye You could put that in a shell > script with a shorter name... As long as I don't forget to run the > gpg-connect-agent command, it always works fine for me. I tried putting that command in my bashrc but that was a bad idea when running with enable-ssh-support. Perhaps one could alias 'ssh' (and friends) to run the updatestartuptty command first... Hm. Smells fish^Whacky. > If you use a graphical pinentry and it needs to pop up on a text > terminal instead, it will automatically fall back to the curses based > pinentry. I'm quite certain all my usage of GPG will be in text terminals, but this is good advise not to mess with that setting and leave it to the defaults. I believe i put that there when i was fighting with the enable-ssh-support TTY-issue. > > With this config, trying to decrypt a GPG-file, everything stalls > > and undescriptive errors appear after staring at a blinking cursor > > for quite some time. > When using gpg? Yes. But perhaps, considering the insights provided by your earlier wisdom, gpg (pinentry) might have misbehaved because of the ssh-agent TTY-issue. Set a broken 'updatestartuptty' and gpg will honour that too? GPG (pinentry) works just fine when not using enable-ssh-support it seems. > > Sometimes resulting in *'s being displayed while typing, or letters > > disappearing from the input altogether. > I think every other character goes to the terminal [ .. ] > It's a great way to get half of your password in .bash_history if you just > keep on typing. Hahah. :) -- | 1 1 was a racehorse, 2 2 was 1 2, 1 1 1 1 race 1 day, 2 2 1 1 2 | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 pgp5rNQ_xQ0V5.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPGv2 & 'pinentry' on Linux w/ remote access
Quoting Peter Lebbing (pe...@digitalbrains.com): > > I'm trying to make the big step from GnuPG v1 to v2 but i'm experiencing > > agonizing pains caused by the forced use of "pinentry" by gpg-agent and > > friends, or rather the way the GPG_TTY stuff works? > The first thing we really need to know before we can give good help, is: > which version of GnuPG are you using? Heh. D'oh! This is Ubuntu 16.10's gpg 2.1.15 w/ libgcrypt 1.7.2-beta. When not starting gpg-agent from .xsession and thus not using it for ssh-agent emulation, it seems a bit more well-behaved. I have yet to run into pinentry trouble, but it is not that often that i use gpg. Thanks! -Sndr. -- | Giraffiti: Vandalism spray-painted very, very high. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 pgptDyp_Mxbmq.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPGv2 & 'pinentry' on Linux w/ remote access
Hi, I'm trying to make the big step from GnuPG v1 to v2 but i'm experiencing agonizing pains caused by the forced use of "pinentry" by gpg-agent and friends, or rather the way the GPG_TTY stuff works? I'm on Linux and i am not using Unity/Gnome/whatever, so i start X by calling 'startx' and it invokes my .xsession that has ... | GPG_TTY=$(tty) | export GPG_TTY | eval $(gpg-agent --daemon) ... where ssh-agent used to be, just before starting the window manager. Then i have this gpg-agent.conf: | enable-ssh-support | pinentry-program /usr/bin/pinentry-curses | default-cache-ttl 300 | max-cache-ttl 99 With this config, trying to decrypt a GPG-file, everything stalls and undescriptive errors appear after staring at a blinking cursor for quite some time. So i learned that i could update GPG_TTY from my shellrc by doing... | GPG_TTY=$(tty) | export GPG_TTY | gpg-connect-agent updatestartuptty /bye >/dev/null ... every time a new shell spawns. This kind-of works. At least the pinentry pops up in a terminal. For GPG-related commands, the pinentry seems to pop-up at the terminal that is running a GPG-related command, but trying to use ssh randomly pops the pinentry in a terminal unrelated to where i am running ssh. Probably the terminal that was started last? Then, when i then ^C the ssh command that is seemingly hanging because a pinentry popped up on some other workspace's terminal, the pinentry program on the unrelated terminal completely messes up said terminal. Sometimes resulting in *'s being displayed while typing, or letters disappearing from the input altogether. In such situations it turns out pinentry-curses was still running, even though my shell was also interactive. I can't fathom what i am doing wrong but i must be doing something wrong. Any tips? And i haven't even started looking at "how can u use a gpg-agent that is already running on a box that i am logging in remotely" yet, sort of what 'keychain' can do with ssh-agent. Regards, -Sndr. -- | How can there be self-help "groups"? | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
