Published by Jon on December 19th, 2010 in Debian
When I first started using Debian properly, I played with
pinentry but I didn’t really understand the various bash initialisation scripts, and my botched setup annoyed me so much I disabled it again quite quickly (for example, if I left the machine logged in to GDM at home then logged in through SSH, pinentry dialogs stayed in GDM and had to be killed).
Now I’ve finally had time to get it sorted out, and this is part aide-memoire and part idiot check (hello, lazyweb). The brief:
gpg-agentshould take care of both GPG keys and SSH keys, transparently;
pinentryshould ask with
pinentry-gtk2at home, or at the current SSH session remotely;
- nothing should be left lying around after a session.
I assume appropriate packages are already installed – at a minimum,
gpg-agent and whichever
pinentry you prefer.
gpg-agent drops a hook into
/etc/X11/Xsession.d, but now there are both
ssh-agent running. Disable
ssh-agent because we’re going to let
gpg-agent take care of everything: in
/etc/X11/Xsession.options, comment out the line use-ssh-agent. In
/etc/X11/Xsession.d/90gpg-agent, add the –enable-ssh-support parameter so the STARTUP variable looks something like:
STARTUP="$GPGAGENT --daemon --sh --enable-ssh-support --write-env-file=$PID_FILE $STARTUP"
and also disable ssh in
$ gconftool-2 --set -t bool /apps/gnome-keyring/daemon-components/ssh false
Now (after restarting your X session) you can use ssh-add to import a key into
gpg-agent, and you should see a pinentry dialog asking for a password.
That takes care of X sessions, but it won’t work for SSH. This is where the different bash login scripts matter:
~/.bashrc is run for all non-login shells (that is, ones spawned from e.g.
~/.profile is only run for login shells (that is, ones where you have to authenticate, such as SSH connections). So, at the bottom of
~/.profile, we just start another
gpg-agent who doesn’t know about X:
eval $(gpg-agent --enable-ssh-support --daemon)
After restarting your SSH session and triggering a key operation, like signing a document,
pinentry-curses should ask for your passphrase at the SSH shell and not leave dialogs stranded in the X session.
Finally, that second agent shouldn’t be left hanging around after we’ve finished, or there’ll be hundreds of them soon. Fortunately, the PID is recorded in the environment variable
GPG_AGENT_INFO, but parsing that is a bit awkward when it’s also recorded alone in
SSH_AGENT_PID. So in
~/.bash_logout, we just
(Most of the pointers for this setup came from http://wiki.kumina.nl/index.php/Managing_ssh_keys_with_gpg-agent and http://stefaanlippens.net/bashrc_and_others)