gpg-agent and X
Locked
gpg-agent and X
 
|
Hi,
I have a my setup depending strongly on gpg-agent. For this, I preseed some passphrases via pam_gnupg. While this setup work well on my Devuan machine, I have some troubles on the Gentoo one, that I don't get solved. When the agent is started when I login via xdm (wdm), the agent does never use X for displaying the pinentry. Even when `updatestartuptty` is issued afterwards. As I use gpg-card even not everytime from the console, I need that to display a X pinentry (currently the qt one, gtk was preferred with gtk2 but the gtk3 one is horrible.) I mitigated that now to kill the agent in xinit so the pam module is only in charge when unlocking the screen. However, I want to get it work even with login session. Anyone an idea, why it is not working correctly and why the agent is refusing to accept the DISPLAY setting when started via pam? Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[hidden email]> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
signature.asc (703 bytes)
Re: gpg-agent and X
|
|
On Fri, 5 Mar 2021 10:16, Klaus Ethgen said:
> While this setup work well on my Devuan machine, I have some troubles on > the Gentoo one, that I don't get solved. I am also using Devuan without problems. Did you used touch /var/lib/elogind/USERNAME to avoid elogin stealing the socket directory? > Anyone an idea, why it is not working correctly and why the agent is > refusing to accept the DISPLAY setting when started via pam? I have no idea. I don't know whether this is of any help, but you can gpg-connect-agent 'getinfo std_session_env' /bye to show the environment of a new session. If you run that in the context of PAM it might give a hint. Or use debug-pinetry in gpg-agent.conf which should also show the envars. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Re: gpg-agent and X
|
|
Hi Werner,
Am Fr den 5. Mär 2021 um 15:59 schrieb Werner Koch: > On Fri, 5 Mar 2021 10:16, Klaus Ethgen said: > > > While this setup work well on my Devuan machine, I have some troubles on > > the Gentoo one, that I don't get solved. > > I am also using Devuan without problems. Did you used Devuan isn't the problem, it is Gentoo... > touch /var/lib/elogind/USERNAME > > to avoid elogin stealing the socket directory? I do not use elogind or any other logind. I do not like that concept and limit the amount of bloated pötterware on my system(s) to the absolute minimum. However, if it helps, there is a bug in gentoo ([0]) that is preventing the session registering. But I have the mentioned workaround in place. Gruß Klaus [0] https://bugs.gentoo.org/show_bug.cgi?id=716596 -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[hidden email]> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Re: gpg-agent and X
|
|
In reply to this post by Klaus Ethgen
On Fri, Mar 05, 2021 at 10:16:41AM +0100, Klaus Ethgen wrote:
> I have a my setup depending strongly on gpg-agent. For this, I preseed > some passphrases via pam_gnupg. > > While this setup work well on my Devuan machine, I have some troubles on > the Gentoo one, that I don't get solved. > > When the agent is started when I login via xdm (wdm), the agent does > never use X for displaying the pinentry. Even when `updatestartuptty` is > issued afterwards. As I use gpg-card even not everytime from the > console, I need that to display a X pinentry (currently the qt one, gtk > was preferred with gtk2 but the gtk3 one is horrible.) pinentry-qt5 using 'eselect'? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Re: gpg-agent and X
|
|
Hi,
Am Fr den 5. Mär 2021 um 17:05 schrieb Mark H. Wood via Gnupg-users: > The only thing I can think of to check is: have you selected > pinentry-qt5 using 'eselect'? Sure. That is all fine. ~> eselect pinentry list Available pinentry binary implementations: [1] pinentry-gnome3 [2] pinentry-qt5 * [3] pinentry-curses From Werner Koch, I enabled pinentry-debug, here are the results: 2021-03-05 20:03:24 gpg-agent[27031] gpg-agent (GnuPG) 2.2.25 started 2021-03-05 20:03:48 gpg-agent[27031] SIGHUP received - re-reading configuration and flushing cache 2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file 2021-03-05 20:03:53 gpg-agent[27031] failed to unprotect the secret key: No pinentry 2021-03-05 20:03:53 gpg-agent[27031] failed to read the secret key 2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry 2021-03-05 20:03:53 gpg-agent[27031] no device present 2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file 2021-03-05 20:03:53 gpg-agent[27031] smartcard decryption failed: No pinentry 2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry The strange thing is, that /usr/bin/pinentry is absolutely correct: ~> ls -l /usr/bin/pinentry lrwxrwxrwx 1 root root 12 29. Jan 20:37 /usr/bin/pinentry -> pinentry-qt5 ~> ls -lL /usr/bin/pinentry -rwxr-xr-x 1 root root 129504 26. Jan 18:25 /usr/bin/pinentry The Environment looks good: ~> gpg-connect-agent 'getinfo std_session_env' /bye D GPG_TTY=/dev/pts/2 D TERM=xterm-256color D DISPLAY=localhost:10.0 OK And when logged from .xsession: D DISPLAY=:0 OK use flags: ~> equery u pinentry [ Legend : U - final flag setting for installation] [ : I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for app-crypt/pinentry-1.1.0-r4: U I + + caps : Use Linux capabilities library to control privilege - - emacs : Add support for GNU Emacs - - gnome-keyring : Enable support for storing passwords via gnome-keyring + + gtk : Add support for x11-libs/gtk+ (The GIMP Toolkit) + + ncurses : Add ncurses support (console display library) + + qt5 : Add support for the Qt 5 application and UI framework ~> equery u app-crypt/gnupg [ Legend : U - final flag setting for installation] [ : I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for app-crypt/gnupg-2.2.25: U I + + bzip2 : Use the bzlib compression library - - doc : Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally - - ldap : Add LDAP support (Lightweight Directory Access Protocol) + + nls : Add Native Language Support (using gettext - GNU locale utilities) + + readline : Enable support for libreadline, a GNU line-editing library that almost everyone wants - - scd-shared-access : Allow concurrent access to scdaemon by multiple apps from same user. Useful if you want to use scdaemon with gnupg and for example NitroKey. + + smartcard : Build scdaemon software. Enables usage of OpenPGP cards. For other type of smartcards, try app-crypt/gnupg-pkcs11-scd. Bring in dev-libs/libusb as a dependency; enable scdaemon. + + ssl : Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security) + + tofu : Enable support for Trust on First use trust model; requires dev-db/sqlite. + + tools : Install extra tools (including gpgsplit and gpg-zip). + + usb : Build direct CCID access for scdaemon; requires dev-libs/libusb. - - user-socket : try a socket directory which is not removed by init manager at session end So, the conclusion is: - Environment seems to be fine - pinentry is correct (and working as it work when I kill and restart the gpg-agent in xsession) - The error logged is strange for me, I have no idea what went wrong Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[hidden email]> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Re: gpg-agent and X
|
|
In reply to this post by GnuPG - User mailing list
Some further debuging of the capabilities:
pinentry(-qt) has no file capabilities, the process of gpg-agent has the following: ~> getpcaps 27031 27031: cap_dac_override,cap_net_admin,cap_net_raw,cap_sys_rawio,cap_sys_admin=i And in strace I find the following: 28441 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_IPC_LOCK, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt) 28441 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt) 28443 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_IPC_LOCK, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt) 28443 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt) I get the same errors when I set the capabilities to cap_ipc_lock=ep. So it seems to be something with capabilities.. And looking at the binary of devuan, it is not linked against libcap! I will recompile pinentry without caps use flag. But I am curious why it has troubles with libcap. Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[hidden email]> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Re: gpg-agent and X
|
|
That was a dead end.
Even without libcap linkage, the pinentry does not work. Also the process capabilities of a manual started gpg-agent are the same. Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[hidden email]> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Re: gpg-agent and X
|
|
In reply to this post by Klaus Ethgen
I created a bug ([0]) for gentoo.
Gruß Klaus [0] https://bugs.gentoo.org/show_bug.cgi?id=774468 -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[hidden email]> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Re: gpg-agent and X
|
|
In reply to this post by Klaus Ethgen
Hi!
I am not sure whether you already di this: Use a script like --8<---------------cut here---------------start------------->8--- #!/bin/sh MYPINENTRY="/foo/bar/pinentry-gtk-2" locale >/tmp/pinentry.err set >>/tmp/pinentry.err exec strace -o /tmp/pinentry.trc -e read=0 $MYPINENTRY -d "$@" 2>>/tmp/pinentry.err --8<---------------cut here---------------end--------------->8--- as pinetry replacement to get a better insight into the preblem. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Re: gpg-agent and X
|
|
In reply to this post by Klaus Ethgen
Am Sa den 6. Mär 2021 um 16:32 schrieb Klaus Ethgen:
> [0] https://bugs.gentoo.org/show_bug.cgi?id=774468 Sadly, Gentoo closed that bug as invalid as they do not have pam_gnupg in their software stack and so they say, that it is a usecase that is not supportet by them. It is a bit short thought. Their pinentry has a bug, that is triggered this way and they don't care. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[hidden email]> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
| Free forum by Nabble | Edit this page |