Debian Bug report logs - #854376
gnupg-agent: Broken with systemd

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Mark Brown <broonie@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gnupg-agent: Broken with systemd

Date: Mon, 06 Feb 2017 13:35:47 +0000

Package: gnupg-agent
Version: 2.1.18-4
Severity: important

I've got:

  SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent

(this is manually forced since gnome-keyring appears to be managing to
force itself as the SSH agent, I've filed a separate bug about that).
When I try to list keys I get:

   $ ssh-add -L
   error fetching identities for protocol 2: invalid format
   The agent has no identities.

Similarly attempting to SSH result in:

   debug1: pubkey_prepare: ssh_fetch_identitylist: invalid format

in the SSH verbose output.  If I manually disable all the systemd based
activation and start gpg-agent from the command line with --daemon then
the problem is resolved and I can happily authenticate.

Severity important since this is preventing me logging into remote
systems (including in my case kernel.org which is preventing me doing
upstream kernel work right now).

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg-agent depends on:
ii  libassuan0                  2.4.3-2
ii  libc6                       2.24-9
ii  libgcrypt20                 1.7.6-1
ii  libgpg-error0               1.26-2
ii  libnpth0                    1.3-1
ii  libreadline7                7.0-2
ii  pinentry-gnome3 [pinentry]  1.0.0-1
ii  pinentry-gtk2 [pinentry]    1.0.0-1

Versions of packages gnupg-agent recommends:
ii  gnupg  2.1.18-4

Versions of packages gnupg-agent suggests:
ii  dbus-user-session  1.10.14-1
ii  libpam-systemd     232-15
ii  pinentry-gnome3    1.0.0-1
ii  scdaemon           2.1.18-4

-- no debconf information

Message #10 received at 854376@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Mark Brown <broonie@debian.org>, 854376@bugs.debian.org

Subject: Re: [pkg-gnupg-maint] Bug#854376: gnupg-agent: Broken with systemd

Date: Mon, 06 Feb 2017 09:55:11 -0500

[Message part 1 (text/plain, inline)]

Hi Mark--

On Mon 2017-02-06 08:35:47 -0500, Mark Brown <broonie@debian.org> wrote:
> I've got:
>
>   SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent
>
> (this is manually forced since gnome-keyring appears to be managing to
> force itself as the SSH agent, I've filed a separate bug about that).

This isn't gpg-agent's ssh authentication socket.  You're trying to talk
to the normal gpg-agent socket, which likes to respond with "OK Pleased
to meet you" -- definitely not valid ssh-agent communication :)

Please try it with:

     SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

instead.  Or, place "enable-ssh-support" in ~/.gnupg/gpg-agent.conf and
let /etc/X11/Xsession.d/90gpg-agent set that variable for you.

> When I try to list keys I get:
>
>    $ ssh-add -L
>    error fetching identities for protocol 2: invalid format
>    The agent has no identities.
>
> Similarly attempting to SSH result in:
>
>    debug1: pubkey_prepare: ssh_fetch_identitylist: invalid format
>
> in the SSH verbose output.  If I manually disable all the systemd based
> activation and start gpg-agent from the command line with --daemon then
> the problem is resolved and I can happily authenticate.

using the same $SSH_AUTH_SOCK?  I'd be very surprised at this!!

> Severity important since this is preventing me logging into remote
> systems (including in my case kernel.org which is preventing me doing
> upstream kernel work right now).

Please let me know if using the ssh socket works for you.

Thanks,

        --dkg

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 854376-done@bugs.debian.org (full text, mbox, reply):

From: Mark Brown <broonie@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 854376-done@bugs.debian.org

Subject: Re: [pkg-gnupg-maint] Bug#854376: gnupg-agent: Broken with systemd

Date: Mon, 6 Feb 2017 16:22:53 +0000

[Message part 1 (text/plain, inline)]

On Mon, Feb 06, 2017 at 09:55:11AM -0500, Daniel Kahn Gillmor wrote:

> Please try it with:

>      SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

That works, thanks.

> instead.  Or, place "enable-ssh-support" in ~/.gnupg/gpg-agent.conf and
> let /etc/X11/Xsession.d/90gpg-agent set that variable for you.

I've already got SSH support enabled in the config (and have done for
some time), doing this manually is triggered by GNOME keyring having
come up with yet another way to force itself to be the SSH agent - I'm
currently working around this by manually overriding the agent.

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 854376@bugs.debian.org (full text, mbox, reply):

From: Punit Agrawal <punitagrawal@gmail.com>

To: 854376@bugs.debian.org

Subject: Unable to use gpg-agent as ssh-agent

Date: Mon, 6 Feb 2017 16:35:32 +0000

Not sure if it's related but gpg-agent stopped behaving as ssh
agent after updating the system today. On my machine, I have

% env | grep -i ssh
SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh

When trying to ssh, I run into

% ssh <remote-host>
sign_and_send_pubkey: signing failed: agent refused operation

"ssh-add -L" shows that the key that should be used to log into the remote.

On further digging, I landed at
/usr/lib/systemd/user/gpg-agent-ssh.socket which doesn't seem to
be explicitly enabling ssh support. But I'm not familiar with
systemd units so might've misunderstood what's going on.

Message #25 received at 854376@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Punit Agrawal <punitagrawal@gmail.com>, 854376@bugs.debian.org

Subject: Re: [pkg-gnupg-maint] Bug#854376: Unable to use gpg-agent as ssh-agent

Date: Wed, 08 Feb 2017 19:42:33 -0500

[Message part 1 (text/plain, inline)]

Hi Punit--

On Mon 2017-02-06 11:35:32 -0500, Punit Agrawal wrote:
> Not sure if it's related but gpg-agent stopped behaving as ssh
> agent after updating the system today. On my machine, I have
>
> % env | grep -i ssh
> SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
>
> When trying to ssh, I run into
>
> % ssh <remote-host>
> sign_and_send_pubkey: signing failed: agent refused operation
>
> "ssh-add -L" shows that the key that should be used to log into the remote.
>
> On further digging, I landed at
> /usr/lib/systemd/user/gpg-agent-ssh.socket which doesn't seem to
> be explicitly enabling ssh support. But I'm not familiar with
> systemd units so might've misunderstood what's going on.

modern versions of gpg-agent have ssh support enabled by default.

If you're getting a refusal from the agent to sign the key, please let
me know:

 * what version of the gnupg-agent package?
 
 * what version of pinentry are you using by default? (e.g. the output
   of "readlink -f $(which pinentry)")

 * how are you launching your graphical environment? (e.g. "no graphical
   environment at all", or "startx", or "gdm" or some other display manager)

 * do you have dbus-user-session installed?


As a diagnostic workaround, can you try running the following and then
tell me whether gpg-agent starts working for you?

    gpg-connect-agent updatestartuptty /bye

Regards,

    --dkg

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 854376@bugs.debian.org (full text, mbox, reply):

From: Punit Agrawal <punitagrawal@gmail.com>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 854376@bugs.debian.org

Subject: Re: [pkg-gnupg-maint] Bug#854376: Unable to use gpg-agent as ssh-agent

Date: Thu, 9 Feb 2017 12:25:17 +0000

Hi Daniel,

Responses inline.

On Thu, Feb 9, 2017 at 12:42 AM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> Hi Punit--
>
> On Mon 2017-02-06 11:35:32 -0500, Punit Agrawal wrote:
>> Not sure if it's related but gpg-agent stopped behaving as ssh
>> agent after updating the system today. On my machine, I have
>>
>> % env | grep -i ssh
>> SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
>>
>> When trying to ssh, I run into
>>
>> % ssh <remote-host>
>> sign_and_send_pubkey: signing failed: agent refused operation
>>
>> "ssh-add -L" shows that the key that should be used to log into the remote.
>>
>> On further digging, I landed at
>> /usr/lib/systemd/user/gpg-agent-ssh.socket which doesn't seem to
>> be explicitly enabling ssh support. But I'm not familiar with
>> systemd units so might've misunderstood what's going on.
>
> modern versions of gpg-agent have ssh support enabled by default.
>
> If you're getting a refusal from the agent to sign the key, please let
> me know:
>
>  * what version of the gnupg-agent package?

I've got version 2.1.18-3 of the package (I'm running testing)

>
>  * what version of pinentry are you using by default? (e.g. the output
>    of "readlink -f $(which pinentry)")

% readlink -f $(which pinentry)
/usr/bin/pinentry-qt

>
>  * how are you launching your graphical environment? (e.g. "no graphical
>    environment at all", or "startx", or "gdm" or some other display manager)

sddm

>
>  * do you have dbus-user-session installed?

No.

>
>
> As a diagnostic workaround, can you try running the following and then
> tell me whether gpg-agent starts working for you?
>
>     gpg-connect-agent updatestartuptty /bye

After executing the above command, gpg-agent starts working for me. :)

As a further test, I killed the gpg-agent process

% pkill gpg-agent

and then I'm back to the agent refusing to sign the key -

% ssh <hostname>
sign_and_send_pubkey: signing failed: agent refused operation

at which point re-executing "gpg-connect-agent updatestartuptty /bye"
makes it work again.

I've got the following in my environment variables -

% env | grep -iE "gpg|ssh"
GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1
SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
GPG_TTY=/dev/pts/2

Let me know if there is anything else I can add to help get to the
bottom of the problem.

Thanks,
Punit

Message #35 received at 854376@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Punit Agrawal <punitagrawal@gmail.com>

Cc: 854376@bugs.debian.org

Subject: Re: [pkg-gnupg-maint] Bug#854376: Unable to use gpg-agent as ssh-agent

Date: Fri, 10 Feb 2017 14:37:29 -0500

[Message part 1 (text/plain, inline)]

Hi Punit--

On Thu 2017-02-09 07:25:17 -0500, Punit Agrawal wrote:
> I've got version 2.1.18-3 of the package (I'm running testing)

> % readlink -f $(which pinentry)
> /usr/bin/pinentry-qt

> sddm

>>  * do you have dbus-user-session installed?
>
> No.

Thanks for the feedback!

The problem that you're having is because ssh does not tell gpg-agent
anything about how to contact the user, and gpg-agent is started as a
service by systemd.

I believe that if you were to install dbus-user-session, fully log out,
and then log back in again with sddm, gpg-agent would get launched when
asked with the correct $DISPLAY environment variable, and your ssh
attempt would just work, without needing to do the updatestartuptty
dance.

The gnupg-agent package Suggests: dbus-user-session to facilitate
exactly your use case.

Please let me know if dbus-user-session works for you!

       --dkg

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 854376@bugs.debian.org (full text, mbox, reply):

From: Punit Agrawal <punitagrawal@gmail.com>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 854376@bugs.debian.org

Subject: Re: Bug#854376: [pkg-gnupg-maint] Bug#854376: Unable to use gpg-agent as ssh-agent

Date: Mon, 13 Feb 2017 10:26:30 +0000

Hi Daniel,

On Fri, Feb 10, 2017 at 7:37 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> Hi Punit--
>
> On Thu 2017-02-09 07:25:17 -0500, Punit Agrawal wrote:
>> I've got version 2.1.18-3 of the package (I'm running testing)
>
>> % readlink -f $(which pinentry)
>> /usr/bin/pinentry-qt
>
>> sddm
>
>>>  * do you have dbus-user-session installed?
>>
>> No.
>
> Thanks for the feedback!
>
> The problem that you're having is because ssh does not tell gpg-agent
> anything about how to contact the user, and gpg-agent is started as a
> service by systemd.
>
> I believe that if you were to install dbus-user-session, fully log out,
> and then log back in again with sddm, gpg-agent would get launched when
> asked with the correct $DISPLAY environment variable, and your ssh
> attempt would just work, without needing to do the updatestartuptty
> dance.
>
> The gnupg-agent package Suggests: dbus-user-session to facilitate
> exactly your use case.
>
> Please let me know if dbus-user-session works for you!

I can confirm that installing dbus-user-session and logging out and
back in fixed the issue. I got asked for the ssh key passphrase and
was able to log in with the key onto a remote machine. :)

I think I found it a bit confusing as I went from a working setup to a
not-working one without me doing anything other than upgrade the
system. Not sure what an be done to ease the transition though.

Thanks a lot for taking the time to dig into the issue and explain
what's going on.

Cheers,
Punit

>
>        --dkg

Message #45 received at 854376@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Punit Agrawal <punitagrawal@gmail.com>, 854376@bugs.debian.org

Subject: Re: Bug#854376: [pkg-gnupg-maint] Bug#854376: Unable to use gpg-agent as ssh-agent

Date: Mon, 13 Feb 2017 11:40:16 -0500

[Message part 1 (text/plain, inline)]

On Mon 2017-02-13 05:26:30 -0500, Punit Agrawal wrote:
> I can confirm that installing dbus-user-session and logging out and
> back in fixed the issue. I got asked for the ssh key passphrase and
> was able to log in with the key onto a remote machine. :)

great to hear!  thanks for following up, Punit.

> I think I found it a bit confusing as I went from a working setup to a
> not-working one without me doing anything other than upgrade the
> system. Not sure what an be done to ease the transition though.

Yeah, i hear you :( We could force dbus-user-session as an explicit
dependency, but that would likely be met with howls of outrage at
dependency creep.

Perhaps it's worth considering moving dbus-user-session at least from
Suggests: to Recommends: though, given that the gpg-agent's model is
really the same as the dbus-user-session model.  I'll consider that for
future updates.

       --dkg

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.