Comments (17)
Also, is there a more generic way to ping the opengpg card to prompt me for a pin, rather than running a dummy decryption or signing request?
I can at least answer this. Try:
$ gpg-connect-agent 'scd serialno' /bye
to get your card's serial number. Then:
$ gpg-connect-agent 'scd checkpin <serial>' /bye
putting your card's serial number instead of <serial>
. This should prompt for your card's PIN if needed. The serial number shouldn't change, so you can create a shell alias if you like.
from yubikey-guide.
another option is to add this two lines to a .bash_profile
GPG_TTY=$(tty)
export GPG_TTY
from yubikey-guide.
SERIAL=$(gpg-connect-agent 'scd serialno' /bye | head -n 1 | cut -f3 -d' ')
gpg-connect-agent "scd checkpin $SERIAL" /bye
from yubikey-guide.
# add alias for ssh to update the tty
alias ssh="gpg-connect-agent updatestartuptty /bye >/dev/null; ssh"
add this to your .bashrc
or something else that get's loaded on login (mac/linux), windows would be different.
Just makes sure everything is connected and happy to make it more consistent.
from yubikey-guide.
@SamMorrowDrums never found a really nice solution to this, every now and then I just don't get prompted to unlock, particularly on ssh-based tasks. My workaround has been to just make a dummy decryption call, gpg -d somefile.gpg
which usually prompts me for a pin whenever the card is locked, and then I can repeat my ssh-based command again.
On rare cases I'm told to 'insert key with id XXX' and I have to remove and re-insert the yubikey, I believe this is due to switching between yubikey GPG functions vs the other built-in functions (like yubico authenticator app for those apps that still don't support U2F)
from yubikey-guide.
In case anyone still needs a solution for this annoying behaviour, it may be the following: Even with export GPG_TTY=$(tty)
in your shells startup files, gpg
still does not know where to display the pin-entry. But if you invoke echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2>&1
and try again, you will be prompted for your pin like expected.
So if your shell startup looks something like this:
export GNUPGHOME="${HOME}/.gnupg"
export PINENTRY_USER_DATA="USE_CURSES=1" # not relevant to the problem
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) # like in the guide
gpgconf --launch gpg-agent # like in the guide
echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2>&1
you should be able to use ssh without any of the workarounds above. This is tested twice under macOS 13.3.1.
Let me know if this helped you.
from yubikey-guide.
I had multiple problems with configuring that - I use tmux and TTYs got mixed all the time for some reason.
But @auroraunit217 response got me on the right track, and I fixed my problem by changing pinentry flavour to qt.
Not sure how to do this in vanilla config, In nixos that's:
services.gpg-agent.pinentryFlavor = "qt";
By the way, a commend that may help y'all with debugging is journalctl -fan100
.
from yubikey-guide.
nice suggestion. (Would need a few tweaks in my case as it's usually a git push
or mosh
or other command that is just going to ssh under the hood, rather than a literal ssh
.) Good to know that gpg-connect-agent updatestartuptty /bye
is the appropriate way to trigger this, I may at least alias that to something like
alias gpg-unlock="gpg-connect-agent updatestartuptty /bye"
from yubikey-guide.
hmm... gpg-connect-agent updatestartuptty /bye
reports "OK" without prompting me for a pin to unlock, and seems the card is still locked. For the moment I've aliased alias gpg-unlock="gpg -d dummy.gpg &> /dev/null"
but obviously this feels very hack-y.
from yubikey-guide.
@cboettig gpg-connect-agent won't prompt for pin, it just makes sure the gpg agent is working and the current terminal is targeted by your pinentry. ssh/git//mosh etc when they try and use the gpg-agent for ssh the pinentry will get triggered.
from yubikey-guide.
@netflash also works, i do both.
from yubikey-guide.
Thanks @netflash, I have that in my bash profile (as per this guide):
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
but I'm still not prompted to for my pin on ssh calls, only on gpg decrypt or sign calls. Not sure why or what I've missed.
from yubikey-guide.
if you run ssh-add -l
do you see a key with the cardno in a comment section?
from yubikey-guide.
@netflash yes, ssh-add -l
shows my key with the correct cardno in the comment section.
from yubikey-guide.
well... the output of ssh -vvvv
would help
from yubikey-guide.
Please send a PR if you figure it out and can explain it to others in the guide.
from yubikey-guide.
If other's are having same issue as me - it goes incredibly slow and eventually just says sign_and_send_pubkey: signing failed for RSA "/home/xxxx/.ssh/id_rsa_yubikey.pub" from agent: agent refused operation
from yubikey-guide.
Related Issues (20)
- can one use openssl to decrypt files HOT 2
- llhenht
- https://github.com/drduh/YubiKey-Guide#yubikey has predictable components HOT 3
- H
- Authentication SubKey shows AR HOT 1
- Unable to get keytocard subcerts to yubikey 5 NFC (piv) :-/ HOT 2
- YubiKey (GPG and ssh keys) HOT 1
- GPG acts like my YubiKey isn't plugged in HOT 8
- A project that encapsulates pagent's shared memory interface into a named pipe to replace SSH_AUTH_SOCK HOT 1
- NixOS image as a flake HOT 14
- Timeout does not work in pam_u2f.so module HOT 1
- is the "Using Multiple Keys" section still accurate? HOT 1
- Private keys exportable HOT 3
- Little Snitch & Steven Black host
- Win 11 + Smarcard: SSH public key authentication fails HOT 1
- `gpg --armor --export-secret-key username@email` still outputs a private key HOT 5
- RSA Authenticate sub key shows capability as AR HOT 2
- Request: upload protonmail private key to yubikey HOT 3
- Multiple hosts section removal HOT 3
- `GNUPGHOME` should be exported HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubikey-guide.