Best way to trigger prompt for pin? about yubikey-guide HOT 17 CLOSED

Also, is there a more generic way to ping the opengpg card to prompt me for a pin, rather than running a dummy decryption or signing request?

I can at least answer this. Try:

$ gpg-connect-agent 'scd serialno' /bye

to get your card's serial number. Then:

$ gpg-connect-agent 'scd checkpin <serial>' /bye

putting your card's serial number instead of <serial>. This should prompt for your card's PIN if needed. The serial number shouldn't change, so you can create a shell alias if you like.

from yubikey-guide.

another option is to add this two lines to a .bash_profile

GPG_TTY=$(tty)
export GPG_TTY

from yubikey-guide.

SERIAL=$(gpg-connect-agent 'scd serialno' /bye | head -n 1 | cut -f3 -d' ')
gpg-connect-agent "scd checkpin $SERIAL" /bye

from yubikey-guide.

# add alias for ssh to update the tty
alias ssh="gpg-connect-agent updatestartuptty /bye >/dev/null; ssh"

add this to your .bashrc or something else that get's loaded on login (mac/linux), windows would be different.

Just makes sure everything is connected and happy to make it more consistent.

from yubikey-guide.

@SamMorrowDrums never found a really nice solution to this, every now and then I just don't get prompted to unlock, particularly on ssh-based tasks. My workaround has been to just make a dummy decryption call, gpg -d somefile.gpg which usually prompts me for a pin whenever the card is locked, and then I can repeat my ssh-based command again.

On rare cases I'm told to 'insert key with id XXX' and I have to remove and re-insert the yubikey, I believe this is due to switching between yubikey GPG functions vs the other built-in functions (like yubico authenticator app for those apps that still don't support U2F)

from yubikey-guide.

In case anyone still needs a solution for this annoying behaviour, it may be the following: Even with export GPG_TTY=$(tty) in your shells startup files, gpg still does not know where to display the pin-entry. But if you invoke echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2>&1 and try again, you will be prompted for your pin like expected.

So if your shell startup looks something like this:

export GNUPGHOME="${HOME}/.gnupg" 
export PINENTRY_USER_DATA="USE_CURSES=1" # not relevant to the problem
export GPG_TTY="$(tty)"

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) # like in the guide
gpgconf --launch gpg-agent # like in the guide

echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2>&1

you should be able to use ssh without any of the workarounds above. This is tested twice under macOS 13.3.1.
Let me know if this helped you.

from yubikey-guide.

I had multiple problems with configuring that - I use tmux and TTYs got mixed all the time for some reason.

But @auroraunit217 response got me on the right track, and I fixed my problem by changing pinentry flavour to qt.

Not sure how to do this in vanilla config, In nixos that's:

services.gpg-agent.pinentryFlavor = "qt";

By the way, a commend that may help y'all with debugging is journalctl -fan100.

from yubikey-guide.

nice suggestion. (Would need a few tweaks in my case as it's usually a git push or mosh or other command that is just going to ssh under the hood, rather than a literal ssh.) Good to know that gpg-connect-agent updatestartuptty /bye is the appropriate way to trigger this, I may at least alias that to something like

alias gpg-unlock="gpg-connect-agent updatestartuptty /bye"

from yubikey-guide.

hmm... gpg-connect-agent updatestartuptty /bye reports "OK" without prompting me for a pin to unlock, and seems the card is still locked. For the moment I've aliased alias gpg-unlock="gpg -d dummy.gpg &> /dev/null" but obviously this feels very hack-y.

from yubikey-guide.

@cboettig gpg-connect-agent won't prompt for pin, it just makes sure the gpg agent is working and the current terminal is targeted by your pinentry. ssh/git//mosh etc when they try and use the gpg-agent for ssh the pinentry will get triggered.

from yubikey-guide.

@netflash also works, i do both.

from yubikey-guide.

Thanks @netflash, I have that in my bash profile (as per this guide):

export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

but I'm still not prompted to for my pin on ssh calls, only on gpg decrypt or sign calls. Not sure why or what I've missed.

from yubikey-guide.

if you run ssh-add -l do you see a key with the cardno in a comment section?

from yubikey-guide.

@netflash yes, ssh-add -l shows my key with the correct cardno in the comment section.

from yubikey-guide.

well... the output of ssh -vvvv would help

from yubikey-guide.

Please send a PR if you figure it out and can explain it to others in the guide.

from yubikey-guide.

If other's are having same issue as me - it goes incredibly slow and eventually just says sign_and_send_pubkey: signing failed for RSA "/home/xxxx/.ssh/id_rsa_yubikey.pub" from agent: agent refused operation

from yubikey-guide.