Bug #12349: gpg-agent can't handle ssh & can't be adjusted

Bug #12349

gpg-agent can't handle ssh & can't be adjusted

Added by orange 2017-03-15 21:33:19 . Updated 2017-03-22 08:09:28 .

Status:

Rejected

Priority:

Normal

Assignee:

orange

Category:

Hardware support

Target version:

Tails_3.0

Start date:

2017-03-15

Due date:

% Done:

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

In the 3.0 Beta 1 and Alpha you could force the gpg-agent to authenticate SSH sessions via “gpg-agent —ssh-support-enable —daemon " '’ being the command to use authenticate the session of (like git, scp, sshfs or ssh itself) this is useful for those who don’t want to maintain multiple keys, for those who use OpenPGP cards for signing & authenticating rather than persistance and for those given access to SSH servers by their PGP public keys.
Usually a ”pkill gpg-agent" would solve the issue but now gpg-agent refuses to start with ssh-support. Adding “ssh-support-enable” to gpg-agent.conf and then “pkill gpg-agent” also does not fix this.
I don’t know what is causing the issue. I don’t know if having ssh-support on by default is a potential security issue (I’m not sure of the mechanics of turning a GPG-SSH public key back into a PGP public key) but I would like to suggest it as a solution.

Subtasks

History

#1 Updated by intrigeri 2017-03-17 17:31:44

Affected tool deleted (~~OpenPGP Applet~~)

#2 Updated by intrigeri 2017-03-17 17:39:28

Assignee set to orange
QA Check changed from Dev Needed to Info Needed

> In the 3.0 Beta 1 and Alpha you could force the gpg-agent to authenticate SSH sessions via "gpg-agent —ssh-support-enable —daemon " '’ being the command to use authenticate the session of (like git, scp, sshfs or ssh itself) this is useful for those who don’t want to maintain multiple keys, for those who use OpenPGP cards for signing & authenticating rather than persistance and for those given access to SSH servers by their PGP public keys.

Sure. I think that’s now supported out of the box, provided one uses the correct socket to talk to a SSH-enabled gpg-agent. Details follow.

> Usually a “pkill gpg-agent” would solve the issue

OK.

> but now gpg-agent refuses to start with ssh-support.

That is? What are you doing and what’s the resulting behavior?

> Adding “ssh-support-enable” to gpg-agent.conf and then “pkill gpg-agent” also does not fix this.

I think that nowadays there’s a dedicated socket for SSH support in gpg-agent, that’s handled by the gpg-agent-ssh.socket systemd (user) service:

amnesia@amnesia:~$ systemctl --user status gpg-agent-ssh.socket 
● gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation)
Loaded: loaded (/usr/lib/systemd/user/gpg-agent-ssh.socket; disabled; vendor 
Active: active (running) since Fri 2017-03-17 17:34:06 UTC; 22s ago
Docs: man:gpg-agent(1)
man:ssh-add(1)
man:ssh-agent(1)
man:ssh(1)
Listen: /run/user/1000/gnupg/S.gpg-agent.ssh (Stream)

and:

amnesia@amnesia:~$ ls /run/user/1000/gnupg/
S.dirmngr  S.gpg-agent  S.gpg-agent.browser  S.gpg-agent.extra  S.gpg-agent.ssh

So it looks like ssh-support-enable is not needed anymore, and you already have a socket to talk to a SSH-enabled gpg-agent :)

Can you please try using it and report back?

#3 Updated by orange 2017-03-22 00:51:46

So i’ve tried again in beta~3. I neglected to mention that specifically I am using a OpenPGP card in the form of a Yubikey (although this wasnt an issue in the past).
However I did what you asked me to try, and “export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh” worked.

Thanks for your help!

#4 Updated by intrigeri 2017-03-22 08:09:28

Status changed from New to Rejected

> However I did what you asked me to try, and “export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh” worked.

Great!