gpg-agent and X

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

gpg-agent and X

Klaus Ethgen
Hi,

I have a my setup depending strongly on gpg-agent. For this, I preseed
some passphrases via pam_gnupg.

While this setup work well on my Devuan machine, I have some troubles on
the Gentoo one, that I don't get solved.

When the agent is started when I login via xdm (wdm), the agent does
never use X for displaying the pinentry. Even when `updatestartuptty` is
issued afterwards. As I use gpg-card even not everytime from the
console, I need that to display a X pinentry (currently the qt one, gtk
was preferred with gtk2 but the gtk3 one is horrible.)

I mitigated that now to kill the agent in xinit so the pam module is
only in charge when unlocking the screen. However, I want to get it work
even with login session.

Anyone an idea, why it is not working correctly and why the agent is
refusing to accept the DISPLAY setting when started via pam?

Regards
   Klaus
--
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[hidden email]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (703 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpg-agent and X

GnuPG - User mailing list
On Fri,  5 Mar 2021 10:16, Klaus Ethgen said:

> While this setup work well on my Devuan machine, I have some troubles on
> the Gentoo one, that I don't get solved.

I am also using Devuan without problems.  Did you used

  touch /var/lib/elogind/USERNAME

to avoid elogin stealing the socket directory?

> Anyone an idea, why it is not working correctly and why the agent is
> refusing to accept the DISPLAY setting when started via pam?

I have no idea.  I don't know whether this is of any help, but you can

  gpg-connect-agent 'getinfo std_session_env' /bye

to show the environment of a new session.  If you run that in the
context of PAM it might give a hint.  Or use debug-pinetry in
gpg-agent.conf which should also show the envars.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpg-agent and X

Klaus Ethgen
Hi Werner,

Am Fr den  5. Mär 2021 um 15:59 schrieb Werner Koch:
> On Fri,  5 Mar 2021 10:16, Klaus Ethgen said:
>
> > While this setup work well on my Devuan machine, I have some troubles on
> > the Gentoo one, that I don't get solved.
>
> I am also using Devuan without problems.  Did you used

Devuan isn't the problem, it is Gentoo...

>   touch /var/lib/elogind/USERNAME
>
> to avoid elogin stealing the socket directory?

I do not use elogind or any other logind. I do not like that concept and
limit the amount of bloated pötterware on my system(s) to the absolute
minimum.

However, if it helps, there is a bug in gentoo ([0]) that is preventing
the session registering. But I have the mentioned workaround in place.

Gruß
   Klaus

[0] https://bugs.gentoo.org/show_bug.cgi?id=716596
--
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[hidden email]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (703 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpg-agent and X

GnuPG - User mailing list
In reply to this post by Klaus Ethgen
On Fri, Mar 05, 2021 at 10:16:41AM +0100, Klaus Ethgen wrote:

> I have a my setup depending strongly on gpg-agent. For this, I preseed
> some passphrases via pam_gnupg.
>
> While this setup work well on my Devuan machine, I have some troubles on
> the Gentoo one, that I don't get solved.
>
> When the agent is started when I login via xdm (wdm), the agent does
> never use X for displaying the pinentry. Even when `updatestartuptty` is
> issued afterwards. As I use gpg-card even not everytime from the
> console, I need that to display a X pinentry (currently the qt one, gtk
> was preferred with gtk2 but the gtk3 one is horrible.)
The only thing I can think of to check is:  have you selected
pinentry-qt5 using 'eselect'?

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpg-agent and X

Klaus Ethgen
Hi,

Am Fr den  5. Mär 2021 um 17:05 schrieb Mark H. Wood via Gnupg-users:
> The only thing I can think of to check is:  have you selected
> pinentry-qt5 using 'eselect'?

Sure. That is all fine.
   ~> eselect pinentry list        
   Available pinentry binary implementations:
     [1]   pinentry-gnome3
     [2]   pinentry-qt5 *
     [3]   pinentry-curses

From Werner Koch, I enabled pinentry-debug, here are the results:
   2021-03-05 20:03:24 gpg-agent[27031] gpg-agent (GnuPG) 2.2.25 started
   2021-03-05 20:03:48 gpg-agent[27031] SIGHUP received - re-reading configuration and flushing cache
   2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file
   2021-03-05 20:03:53 gpg-agent[27031] failed to unprotect the secret key: No pinentry
   2021-03-05 20:03:53 gpg-agent[27031] failed to read the secret key
   2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry
   2021-03-05 20:03:53 gpg-agent[27031] no device present
   2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file
   2021-03-05 20:03:53 gpg-agent[27031] smartcard decryption failed: No pinentry
   2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry

The strange thing is, that /usr/bin/pinentry is absolutely correct:
   ~> ls -l /usr/bin/pinentry
   lrwxrwxrwx 1 root root 12 29. Jan 20:37 /usr/bin/pinentry -> pinentry-qt5
   ~> ls -lL /usr/bin/pinentry
   -rwxr-xr-x 1 root root 129504 26. Jan 18:25 /usr/bin/pinentry

The Environment looks good:
   ~> gpg-connect-agent 'getinfo std_session_env' /bye
   D GPG_TTY=/dev/pts/2
   D TERM=xterm-256color
   D DISPLAY=localhost:10.0
   OK

And when logged from .xsession:
   D DISPLAY=:0
   OK

use flags:
   ~> equery u pinentry
   [ Legend : U - final flag setting for installation]
   [        : I - package is installed with flag     ]
   [ Colors : set, unset                             ]
    * Found these USE flags for app-crypt/pinentry-1.1.0-r4:
    U I
    + + caps          : Use Linux capabilities library to control privilege
    - - emacs         : Add support for GNU Emacs
    - - gnome-keyring : Enable support for storing passwords via gnome-keyring
    + + gtk           : Add support for x11-libs/gtk+ (The GIMP Toolkit)
    + + ncurses       : Add ncurses support (console display library)
    + + qt5           : Add support for the Qt 5 application and UI framework

   ~> equery u app-crypt/gnupg
   [ Legend : U - final flag setting for installation]
   [        : I - package is installed with flag     ]
   [ Colors : set, unset                             ]
    * Found these USE flags for app-crypt/gnupg-2.2.25:
    U I
    + + bzip2             : Use the bzlib compression library
    - - doc               : Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead
                            of globally
    - - ldap              : Add LDAP support (Lightweight Directory Access Protocol)
    + + nls               : Add Native Language Support (using gettext - GNU locale utilities)
    + + readline          : Enable support for libreadline, a GNU line-editing library that almost everyone wants
    - - scd-shared-access : Allow concurrent access to scdaemon by multiple apps from same user. Useful if you want to
                            use scdaemon with gnupg and for example NitroKey.
    + + smartcard         : Build scdaemon software. Enables usage of OpenPGP cards. For other type of smartcards, try
                            app-crypt/gnupg-pkcs11-scd. Bring in dev-libs/libusb as a dependency; enable scdaemon.
    + + ssl               : Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
    + + tofu              : Enable support for Trust on First use trust model; requires dev-db/sqlite.
    + + tools             : Install extra tools (including gpgsplit and gpg-zip).
    + + usb               : Build direct CCID access for scdaemon; requires dev-libs/libusb.
    - - user-socket       : try a socket directory which is not removed by init manager at session end

So, the conclusion is:
- Environment seems to be fine
- pinentry is correct (and working as it work when I kill and restart
  the gpg-agent in xsession)
- The error logged is strange for me, I have no idea what went wrong

Gruß
   Klaus
--
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[hidden email]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (703 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpg-agent and X

Klaus Ethgen
In reply to this post by GnuPG - User mailing list
Some further debuging of the capabilities:

pinentry(-qt) has no file capabilities, the process of gpg-agent has the
following:
   ~> getpcaps 27031
   27031: cap_dac_override,cap_net_admin,cap_net_raw,cap_sys_rawio,cap_sys_admin=i

And in strace I find the following:
   28441 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_IPC_LOCK, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)
   28441 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)
   28443 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_IPC_LOCK, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)
   28443 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)

I get the same errors when I set the capabilities to cap_ipc_lock=ep.

So it seems to be something with capabilities.. And looking at the
binary of devuan, it is not linked against libcap!

I will recompile pinentry without caps use flag. But I am curious why it
has troubles with libcap.

Gruß
   Klaus
--
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[hidden email]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (703 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpg-agent and X

Klaus Ethgen
That was a dead end.

Even without libcap linkage, the pinentry does not work.

Also the process capabilities of a manual started gpg-agent are the
same.

Gruß
   Klaus
--
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[hidden email]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (703 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpg-agent and X

Klaus Ethgen
In reply to this post by Klaus Ethgen
I created a bug ([0]) for gentoo.

Gruß
   Klaus

[0] https://bugs.gentoo.org/show_bug.cgi?id=774468
--
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[hidden email]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (703 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpg-agent and X

GnuPG - User mailing list
In reply to this post by Klaus Ethgen
Hi!

I am not sure whether you already di this: Use a script like

--8<---------------cut here---------------start------------->8---
#!/bin/sh

MYPINENTRY="/foo/bar/pinentry-gtk-2"

locale >/tmp/pinentry.err
set >>/tmp/pinentry.err
exec strace -o /tmp/pinentry.trc -e read=0 $MYPINENTRY  -d "$@" 2>>/tmp/pinentry.err
--8<---------------cut here---------------end--------------->8---

as pinetry replacement to get a better insight into the preblem.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpg-agent and X

Klaus Ethgen
In reply to this post by Klaus Ethgen
Am Sa den  6. Mär 2021 um 16:32 schrieb Klaus Ethgen:
> [0] https://bugs.gentoo.org/show_bug.cgi?id=774468

Sadly, Gentoo closed that bug as invalid as they do not have pam_gnupg
in their software stack and so they say, that it is a usecase that is
not supportet by them.

It is a bit short thought. Their pinentry has a bug, that is triggered
this way and they don't care.

Regards
   Klaus
--
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[hidden email]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (703 bytes) Download Attachment