(solved) gpg-agent (or pinentry) + ssh (or su) not working on Linux / Unix

20 August 2011 Ch. Tronche Hack 0

The case: you connect to a remote computer with ”ssh”, or may be you just do ”su” to become another unix user, then start something like

gpg-agent --daemon /bin/bash

or may be you worked hard so ”gpg-agent” is launched from your ”.profile” or something like that.

Then, you try to decrypt a file:

gpg -d my-file.gpg

and you expect ”gpg” to enter into some dialog to ask you the passphrase. Furthermore, you expect that you won’t have to enter the passphrase again if you decrypt the same file once more a few minutes from now. And at least, if ”gpg-agent” can’t remember the passphrase, you might expect it to fall back on some mechanism to ask you the passphrase.

But none of all these happen. Instead you have no opportunity of dialog (what a stress !) and you got, among other things:

gpg: cancelled by user

and even

gpg: public key decryption failed: bad passphrase
gpg: decryption failed: secret key not available

What went wrong ?

”pinentry” or the corresponding PIN entry program is installed and found by ”gpg-agent”, otherwise you would have an error like

gpg: problem with the agent - disabling agent useand a fall back on ''gpg'' internal input passphrase.

What I suspect very much, at least what I did, is that you performed an ”su” since you logged in with ”ssh”. Looking at the tty:

tronche@dev1:~$ ls -l `tty`crw------- 1 root tty 136, 2 2011-08-20 20:52 /dev/pts/2

root is owning my tty (I logged in I as root. Yes, I know), and I’m user tronche.

The point is that ”pinentry” gets the tty name from ”gpg-agent”. Then, ”’pinentry opens it read / write to perform its dialog”’. If you don’t own the tty, it fails, and rightly so. For example, you logged in as root, so root owns the tty, then you ”su”-ed as a regular user, the one executing gpg-agent and thus ”pinentry”, and this one can’t open the tty to run the PIN entry dialog.

Side note: the documentation states that the shell environment variable ”GPG_TTY” should be set, but on my Ubuntu 10, ”gpg-agent” figures very well by itself what the tty is, so you don’t really need that.

What solutions ?

  • Don’t do ”su”. Log in as the user running gpg-agent. Obvious.
  • If, for some reason, you log in as root and then change to another user, you can (as root) ”chown” tty, that’ll do the trick.