GnuPGv2 & 'pinentry' on Linux w/ remote access

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

GnuPGv2 & 'pinentry' on Linux w/ remote access

GnuPG - User mailing list
Hi!

Some time ago in March i was asking about the way the pinentry works and
i have not yet been able to get this working properly.

I have this vim macro that automatically decrypts and encrypts files
named .gpg. I use this in a terminal through SSH on my server and it
basically pipes a buffer through 'gpg -qd' and 'gpg -ae'.

Recently upgraded that server, and now this does not work anymore.
GPG just exists stating 'No secret key' while running that exact
command on the shell pops up the pinentry thingy and works fine.

Another situation (still) is my PC at work. It has my X session running
mostly always. I access it through SSH too with the same user account
and like to work there, but i can't do anything with GPG on a remotely
connected shell to this machine: The pinentry will consistently pop up
on the X display on that machine instead of the controlling tty (my ssh)
requesting the decryption.

I've had varying success with exporting GPG_TTY and updatestartuptty,
usually having to restart gpg-agent. To try and keep this workable i
ended up wrapping gpg in a script that sets GPG_TTY, kills all
gpg-agent, starts it, runs gpg...

Then when a tool is not using the wrapper this results in pinentry
plopping up on terminals where i did not expect them, but it is the
terminal i last used the wrapper in.

It's rather cumbersome and very dodgy at least. How do others deal with
this? Or is everyone using GPG solely in GUI environments nowadays? ;)

Any insights welcome!
Sorry for the ranty mail.
I'm a nice guy. Really.

Rgds,
Sndr.
--
| Rookworst zonder 'r' is ook worst!
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

ryan
Hi Sander,

I also was frustrated with how GPG pinentry worked by default.  In
particular, I *almost* always want to use the ncurses pinentry, unless
through a key shortcut my window manager tries to call gpg (for my
password manager).  But if I want to encrypt a file with mutt, I don't
want a popup!  I hate popups!

What I did was write a custom pinentry wrapper, which I call rpinentry.
It just dispaches either the curses-based pinentry or a gui pinentry
based on the environment variable PINENTRY_USER_DATA which is read by
gpg and passed to the pinentry program, for jobs like this:

    #!/bin/sh

    if [ "$PINENTRY_USER_DATA" == "terminal" ] ; then
        # always use the terminal if one is handy
        /usr/bin/pinentry-curses
    else
        # otherwise DISPLAY info is passed on command line, just forward it
        /usr/bin/pinentry-qt "$@"
    fi

Then in ~/.gnupg/gpg-agent.conf I set it to be my default pinentry
program:

    pinentry-program /path/to/rpinentry

In my ~/.bashrc I have the following two lines:

    export PINENTRY_USER_DATA="terminal"
    export GPG_TTY=$(tty)

Then in the config file for my window manager, I have the equivalent of:

    export PINENTRY_USER_DATA=qt

So this covers all of my bases.  If I do something that calls GPG from a
terminal, I get a curses-based pinentry prompt, because each individual
terminal has PINENTRY_USER_DATA set to "terminal" and GPG_TTY set
properly as soon as it is opened, thanks to my ~/.bashrc.

If my window manager does something which calls GPG (just my password
manager, really), then when the window manager spawns gpg it passes
PINENTRY_USER_DATA set to "qt" and I get a gui popup.

I think my setup might be almost a drop-in fix for your gpg-over-ssh
issue, although you will have to figure out where to set the environment
variable for your particular window manager.

Ryan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

Werner Koch
In reply to this post by GnuPG - User mailing list
On Mon,  6 Nov 2017 22:49, [hidden email] said:

> It's rather cumbersome and very dodgy at least. How do others deal with
> this? Or is everyone using GPG solely in GUI environments nowadays? ;)

If I want to test the curses Pinentry I simply run

  DISPLAY= gpg ...

and get the curses pinentry even when using an xterm (which is my usual
environment). For example you could start mutt the same way

  DISPLAY= mutt

and you get the curses.  Drawback is that you won't get an image viewer
either.

Instead of using the envvar you could also invoke gpg like

  gpg --display=none ....

which sets the display to none and pinentry will fallback to curses.
Using "none" is not really correct but --display requires an option and
does not like an empty string.

It is also possible to write a pinentry which depends on the actual
program invoking gpg: gpg-agent tells pinentry the pid of the process
invoking gpg; e.g.

  OPTION owner=9798 wheatstone

The current develppment version of Pinentry uses this info on Linux to
to show the process name in the titlebar.



Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

GnuPG - User mailing list
In reply to this post by GnuPG - User mailing list
Quoting Ryan Beethe ([hidden email]):

> I think my setup might be almost a drop-in fix for your gpg-over-ssh
> issue, although you will have to figure out where to set the
> environment variable for your particular window manager.

Thanks for your tips and tricks. It's the less bodgy version of the
"wrapper" i wrote. I've adapted them to my system and it seems this is
actually working for the remote-ssh-on-a-system-running-X issue.

However; i still can't use 'gpg -qd' in vim like so:

| augroup GPGEncrypted
|     au!
|     au BufReadPre,FileReadPre      *.asc,*.gpg set viminfo=
|     au BufReadPre,FileReadPre      *.asc,*.gpg set noswapfile
|     au BufReadPre,FileReadPre      *.asc,*.gpg set bin
|     au BufReadPre,FileReadPre      *.asc,*.gpg let ch_save = &ch|set ch=2
|     au BufReadPost,FileReadPost    *.asc,*.gpg '[,']!gpg -qd 2> /dev/null
|     au BufReadPost,FileReadPost    *.asc,*.gpg set nobin
|     au BufReadPost,FileReadPost    *.asc,*.gpg let &ch = ch_save|unlet ch_save
|     au BufReadPost,FileReadPost    *.asc,*.gpg execute ":doautocmd BufReadPost " . expand("%:r")
|     au BufReadPost,FileReadPost    *.asc,*.gpg set ff=unix
|     au BufWritePre,FileWritePre    *.asc,*.gpg '[,']!gpg -ae 2>/dev/null
|     au BufWritePost,FileWritePost  *.asc,*.gpg u
| augroup END

It seems pinentry(-curses) doesn't want to start from within vim.

Do you also have any brilliant ideas there?

Rgds,
Sndr.
--
| Cat, n.: Lapwarmer with built-in buzzer.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

GnuPG - User mailing list
In reply to this post by Werner Koch
Quoting Werner Koch ([hidden email]):

> > It's rather cumbersome and very dodgy at least. How do others deal with
> > this? Or is everyone using GPG solely in GUI environments nowadays? ;)
> The current develppment version of Pinentry uses this info on Linux to
> to show the process name in the titlebar.

Thanks for your insights and continued efforts to keep our data safe!

Could you elaborate on the 'why' part of this enforced pinentry usage
with GnuPG? It wasn't mandatory in 1.x, now it's forced on us.

Where did that come from?
What problem did it solve?

Thanks again,
-Sndr.
--
| Bakers trade bread recipes on a knead to know basis.  
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

ryan
In reply to this post by GnuPG - User mailing list
Well... it happens that when I copy your script to my archlinux machine,
everything works fine.

It also happens that when I copy your script into my ubuntu machine, I
had to change both references of `gpg` to `gpg2`, since in ubuntu gpg is
not the same program as gpg2.  I also would find it convenient to add a
`--default-recipient-self` to the `gpg2 -ea` line, but maybe that's just
me.  If the same change works for you, perhaps you have an
"alias gpg=gpg2" in your ~/.bashrc, causing your shell to behave
differently that vim?

Personally, I use a plugin (https://github.com/jamessan/vim-gnupg) and I
have never had problems.  Then in my ~/.vimrc, I just had to set:

    let GPGUsePipes=1
    let GPGDefaultRecipients=['[hidden email]']


Ryan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

Dan Kegel-2
In reply to this post by GnuPG - User mailing list
On Tue, Nov 7, 2017 at 5:45 AM, Sander Smeenk via Gnupg-users
<[hidden email]> wrote:
> Could you elaborate on the 'why' part of this enforced pinentry usage
> with GnuPG? It wasn't mandatory in 1.x, now it's forced on us.
>
> Where did that come from?
> What problem did it solve?

I'm curious, too.

It sure makes scripting hard.
- Dan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

GnuPG - User mailing list
In reply to this post by GnuPG - User mailing list
Quoting Ryan Beethe ([hidden email]):

> Well... it happens that when I copy your script to my archlinux
> machine, everything works fine.

Are you sure your key wasn't already unlocked in the gpg-agent?


> It also happens that when I copy your script into my ubuntu machine, I
> had to change both references of `gpg` to `gpg2`, [ .. ]

Yes, thanks for that hint but it is not my case.
I made the deliberate step and now only use GnuPG 2.x


> Personally, I use a plugin (https://github.com/jamessan/vim-gnupg) and
> I have never had problems.  Then in my ~/.vimrc, I just had to set:
>     let GPGUsePipes=1
>     let GPGDefaultRecipients=['[hidden email]']

Wow! Quite some code for decrypting a file!
I'll give it a shot after i learn how to use that beast.


Rgds,
Sndr.
--
| It’s hard to explain puns to kleptomaniacs
| because they always take things literally.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

ryan
On Wed, Nov 08, 2017 at 10:50:45AM +0100, Sander Smeenk via Gnupg-users wrote:
> Quoting Ryan Beethe ([hidden email]):
>
> > Well... it happens that when I copy your script to my archlinux
> > machine, everything works fine.
>
> Are you sure your key wasn't already unlocked in the gpg-agent?

Yes, I reset my gpg-agent (killall -1 gpg-agent) each time, and was
prompted with a pinentry prompt each time.

> > Personally, I use a plugin (https://github.com/jamessan/vim-gnupg) and
> > I have never had problems.  Then in my ~/.vimrc, I just had to set:
> >     let GPGUsePipes=1
> >     let GPGDefaultRecipients=['[hidden email]']
>
> Wow! Quite some code for decrypting a file!
> I'll give it a shot after i learn how to use that beast.

Hm... now that I think about it I think the pinentry prompt has been
broken in my vim with that plugin for some time (due to improper
handling of stderr from the looks of it).  It just hasn't bothered me
because I almost never use vim until after I have entered the gpg
password for something else.

So it might be worth a shot but I can't make any promises.

Ryan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

Werner Koch
In reply to this post by GnuPG - User mailing list
On Wed,  8 Nov 2017 12:28, [hidden email] said:

> Yes, I reset my gpg-agent (killall -1 gpg-agent) each time, and was
> prompted with a pinentry prompt each time.

[ Please use "pkill -HUP gpg-agent" and never ever killall - which has,
  aehm, funny effects on other Unices. ]

  gpgconf --reload gpg-agent

is the suggest way to reload the gpg-agent configuraion and flush the
caches.

> Hm... now that I think about it I think the pinentry prompt has been
> broken in my vim with that plugin for some time (due to improper

Not sure what your problem is but nevertheless here this hint: When
calling gpg you should watch the status fd (commonly stderr,
"--status-fd 2") for a line

  [GNUPG:] PINENTRY_LAUNCHED

and set a flag to redraw your screen after gpg returned.  The other
approach would be to write an vim-internal pinentry in the same way the
pinentry-emacs pinentry works.


Salam-Shalom,

   Werner


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

Werner Koch
In reply to this post by GnuPG - User mailing list
On Tue,  7 Nov 2017 14:45, [hidden email] said:

> Could you elaborate on the 'why' part of this enforced pinentry usage
> with GnuPG? It wasn't mandatory in 1.x, now it's forced on us.

It is definitely not new.  GnuPG 1.9 was released 14 years ago (it was
renamed to 2.0 2.0 11 years ago).  It has been used at quite some places
right away from that time on.  The new thing with 2.0 was the
modularized system: The private keys were only managed and accessible by
gpg-agent and gpgsm (gpg for S/MIME) used it this way.

Unfortunately it took until the summer of 2010 before I was able to port
gpg to use the same system as gpgsm and let gpg-agent handle the private
keys.  (Before that gpg used gpg-agent only for passphrase caching.)

Not having to care about private keys in gpg allowed us to remove a lot
of semi-duplicated code from gpg.  This instantly fixed the long
standing import/merging of secret key bugs.

For an architectural point of view gpg-agent can be viewed as a token
which can be accessed only via a well defined API.  gpg does not take
precautions against leaking secret keys.  The actual code to do secret
key operations (decrypt, signing) is done only at one place so that gpg
and gpgsm, and other possible crypto protocols share the same code.

Smartcard access is unified - gpg, gpgsm, and ssh can use the same
smartcard.

gpg-agent can be theoretically be run under a different account.
gpg-agent can actually be run on a remote machine, so that you don't
need to have a secret key on a server but delegate that work to a
desktop box or even a box which is used as a HSM.

The drawback is that application don't need to handle passphrases
anymore.  However, I would call that a huge benefit because applications
are relieved from handling the sensitive passphrase and can let another
process (pinentry) do that on demand from gpg-agent.  On X this works
very well, with curses it is more complicated and needs some adjustments
(or hitting Ctrl-L).  On Windows it was easy as well but later got
complicated due to new Windows security measurements so that there is a
small chance that the pinentry won't pop up but blonk only in the
taskbar.

While preparing for the 2.1 release, we decided to add a loopback mode
to gpg-agent/gpg/gpgsm so that instead of writing one's own loopback
pinentry it is in most cases possible to keep on using existing code
which expects to handle the passphrase.  Adding --pinentry-mode=loopback
to the gpg invocation does this.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

GnuPG - User mailing list
In reply to this post by GnuPG - User mailing list
Quoting Ryan Beethe ([hidden email]):

> I also was frustrated with how GPG pinentry worked by default.
> What I did was write a custom pinentry wrapper, which I call rpinentry.
> It just dispaches either the curses-based pinentry or a gui pinentry
> based on the environment variable PINENTRY_USER_DATA which is read by
> gpg and passed to the pinentry program

I remembered i never followed up on this thread anymore.
Mostly because i had to make sure the setup now works as intended.
And it does.

Ryan, thank you so much for the pinentry wrapper idea / env-vars trick.

I still think it's a stupendous amount of effort to make this work but
at least it does. From vim, from mutt, from Ansible, on my urxvt
terminals, through ssh, anything that needs my GPG key(s) can now
prompt me for passwords.

Thanks a bundle.

For the mailinglist archives, see the previous post(s) by Ryan in this
thread for a working solution to this problem!

Regards,
-Sndr.
--
| aibohphobia - fear of palindromes.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users