Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#851440: sign_and_send_pubkey: signing failed: agent refused operation
150 views
Skip to first unread message
Dominik George
Jan 14, 2017, 6:30:02 PM1/14/17
to
Package: gnupg-agent
Version: 2.1.17-4
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Suddenly, using gpg-agent as ssh-agent with authentication subkeys
stopped working:
sign_and_send_pubkey: signing failed: agent refused operation
I can, however, still see my authentication subkeys in ssh-add -l:
% ssh-add -l
4096 SHA256:VCiRCk+EswSfauAe4hYWweglX6WqsIrtU08PGr7LL38 (none) (RSA)
256 SHA256:SqObMOMaC5eckW3g9nvbOnQljUjjq8Hez5U0TcQqIwM (none) (ED25519)
- -- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/lksh
Init: systemd (via /run/systemd/system)
Versions of packages gnupg-agent depends on:
ii libassuan0 2.4.3-2
ii libc6 2.24-8
ii libgcrypt20 1.7.5-3
ii libgpg-error0 1.26-1
ii libnpth0 1.3-1
ii libreadline7 7.0-1
ii pinentry-qt [pinentry] 1.0.0-1
Versions of packages gnupg-agent recommends:
ii gnupg 2.1.17-4
ii gpgsm 2.1.17-4
Versions of packages gnupg-agent suggests:
ii scdaemon 2.1.17-4
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlh6srIxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h
dHVyYWxuZXQuZGUACgkQt5o8FqDE8paqMRAAwwZeMyM0qVbdMiKzMkH9ld9/m9My
VOij/H5wV7aa/N6uUn6JRYQ3AWW9+HtxzG4fReinh8Fr+0v/2q1MSZgeK7hD7Pvt
Mo+68nm75L6fMO0mFHBaF62n573XswVknZiqguaA2SCqaTrLkl6AdigGHujJX27H
BARM75TTO00P0GRYf+EptWmdHFry+SwvBPs7h46m2aRIB9Yim2nwmwYh0FYxH6J1
BJxKu5PbRd8mSw/wXrLlA/XCXpCNvvTjK3YMy6KfwrjxVhUdFzDkhGbGniCmlivd
Ey2PxlvgW4Xn18BpwFv7d7Pwjb3kw0unHqG+TMLsbeqykAikVzRgxMOxWOSCJvjf
96KyUjiyAynOU72RnYcE5G4+27sezZCWHNWmBw8LZ9AuqN3WlZO14EEjR9BYoypr
mY3J0gQNaq/9UFIhFqt3qeN2fwuQd8+imqN3GLAgpeOF2fsk6MG70itEKrOMl/Zo
yqUPqPgWFXAtnfr4jf4rVmvcQdDREIrqi91UVDJPYASvimAOYbvRj7ZwLEJDTq/p
a/gRK9C++3DuoGGEeogDDIHXcY4s3L+CCouSGydWbS9YjI9itlp740VV/+yXX6IC
RtW9IV26BgI1GRLvs05moq2oE+tfbjwmhaKkp6s0lu+gedcYOfAPIay02rwXJR/r
R600rwhwZl8GC7I=
=cRUe
-----END PGP SIGNATURE-----
Version: 2.1.17-4
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Suddenly, using gpg-agent as ssh-agent with authentication subkeys
stopped working:
sign_and_send_pubkey: signing failed: agent refused operation
I can, however, still see my authentication subkeys in ssh-add -l:
% ssh-add -l
4096 SHA256:VCiRCk+EswSfauAe4hYWweglX6WqsIrtU08PGr7LL38 (none) (RSA)
256 SHA256:SqObMOMaC5eckW3g9nvbOnQljUjjq8Hez5U0TcQqIwM (none) (ED25519)
- -- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/lksh
Init: systemd (via /run/systemd/system)
Versions of packages gnupg-agent depends on:
ii libassuan0 2.4.3-2
ii libc6 2.24-8
ii libgcrypt20 1.7.5-3
ii libgpg-error0 1.26-1
ii libnpth0 1.3-1
ii libreadline7 7.0-1
ii pinentry-qt [pinentry] 1.0.0-1
Versions of packages gnupg-agent recommends:
ii gnupg 2.1.17-4
ii gpgsm 2.1.17-4
Versions of packages gnupg-agent suggests:
ii scdaemon 2.1.17-4
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlh6srIxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h
dHVyYWxuZXQuZGUACgkQt5o8FqDE8paqMRAAwwZeMyM0qVbdMiKzMkH9ld9/m9My
VOij/H5wV7aa/N6uUn6JRYQ3AWW9+HtxzG4fReinh8Fr+0v/2q1MSZgeK7hD7Pvt
Mo+68nm75L6fMO0mFHBaF62n573XswVknZiqguaA2SCqaTrLkl6AdigGHujJX27H
BARM75TTO00P0GRYf+EptWmdHFry+SwvBPs7h46m2aRIB9Yim2nwmwYh0FYxH6J1
BJxKu5PbRd8mSw/wXrLlA/XCXpCNvvTjK3YMy6KfwrjxVhUdFzDkhGbGniCmlivd
Ey2PxlvgW4Xn18BpwFv7d7Pwjb3kw0unHqG+TMLsbeqykAikVzRgxMOxWOSCJvjf
96KyUjiyAynOU72RnYcE5G4+27sezZCWHNWmBw8LZ9AuqN3WlZO14EEjR9BYoypr
mY3J0gQNaq/9UFIhFqt3qeN2fwuQd8+imqN3GLAgpeOF2fsk6MG70itEKrOMl/Zo
yqUPqPgWFXAtnfr4jf4rVmvcQdDREIrqi91UVDJPYASvimAOYbvRj7ZwLEJDTq/p
a/gRK9C++3DuoGGEeogDDIHXcY4s3L+CCouSGydWbS9YjI9itlp740VV/+yXX6IC
RtW9IV26BgI1GRLvs05moq2oE+tfbjwmhaKkp6s0lu+gedcYOfAPIay02rwXJR/r
R600rwhwZl8GC7I=
=cRUe
-----END PGP SIGNATURE-----
Dominik George
Jan 15, 2017, 11:40:02 AM1/15/17
to
> Suddenly, using gpg-agent as ssh-agent with authentication subkeys
> stopped working:
>
> sign_and_send_pubkey: signing failed: agent refused operation
>
> I can, however, still see my authentication subkeys in ssh-add -l:
>
> % ssh-add -l
> 4096 SHA256:VCiRCk+EswSfauAe4hYWweglX6WqsIrtU08PGr7LL38 (none) (RSA)
> 256 SHA256:SqObMOMaC5eckW3g9nvbOnQljUjjq8Hez5U0TcQqIwM (none) (ED25519)
I found out this only happens when using the systemd user service.
> stopped working:
>
> sign_and_send_pubkey: signing failed: agent refused operation
>
> I can, however, still see my authentication subkeys in ssh-add -l:
>
> % ssh-add -l
> 4096 SHA256:VCiRCk+EswSfauAe4hYWweglX6WqsIrtU08PGr7LL38 (none) (RSA)
> 256 SHA256:SqObMOMaC5eckW3g9nvbOnQljUjjq8Hez5U0TcQqIwM (none) (ED25519)
Disabling it and manually starting the agent works.
--
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/
Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer
LPIC-3 Linux Enterprise Professional (Security)
Daniel Kahn Gillmor
Jan 18, 2017, 4:10:03 AM1/18/17
to
On Sun 2017-01-15 11:35:59 -0500, Dominik George wrote:
>> Suddenly, using gpg-agent as ssh-agent with authentication subkeys
>> stopped working:
>>
>> sign_and_send_pubkey: signing failed: agent refused operation
>>
>> I can, however, still see my authentication subkeys in ssh-add -l:
>>
>> % ssh-add -l
>> 4096 SHA256:VCiRCk+EswSfauAe4hYWweglX6WqsIrtU08PGr7LL38 (none) (RSA)
>> 256 SHA256:SqObMOMaC5eckW3g9nvbOnQljUjjq8Hez5U0TcQqIwM (none) (ED25519)
>
> I found out this only happens when using the systemd user service.
> Disabling it and manually starting the agent works.
Do you have the dbus-user-session package installed? What pinentry are
>> Suddenly, using gpg-agent as ssh-agent with authentication subkeys
>> stopped working:
>>
>> sign_and_send_pubkey: signing failed: agent refused operation
>>
>> I can, however, still see my authentication subkeys in ssh-add -l:
>>
>> % ssh-add -l
>> 4096 SHA256:VCiRCk+EswSfauAe4hYWweglX6WqsIrtU08PGr7LL38 (none) (RSA)
>> 256 SHA256:SqObMOMaC5eckW3g9nvbOnQljUjjq8Hez5U0TcQqIwM (none) (ED25519)
>
> I found out this only happens when using the systemd user service.
> Disabling it and manually starting the agent works.
you using?
Can you try terminating your manually-launched agent, re-enabling and
restarting the systemd user service, and then telling gpg-agent to
update its "startuptty" ?
gpg-connect-agent killagent /bye
systemctl --user enable --now 'gpg-agent*.socket'
gpg-connect-agent updatestartuptty /bye
then try using gpg-agent for ssh-agent again. does it work?
if so, then the issue has to do with the interaction between pinentry
and the systemd user services, and the fact that the ssh-agent protocol
doesn't have a way for a client to provide any hints or feedback to the
ssh-agent daemon about how to contact the user.
This impedance mismatch between ssh-agent and gpg-agent makes it
difficult for gpg-agent to know how to prompt the user by default. But
if you're using pinentry-gnome3 and dbus-user-session then the agent
will just know automatically how to prompt the user, because the user
services will know to use the same dbus session that pinentry-gnome3
uses to provide feedback to the user.
hth,
--dkg
Dominik George
Jan 18, 2017, 5:40:02 AM1/18/17
to
Hi,
> Do you have the dbus-user-session package installed?
No, I have dbus-x11.
> What pinentry are you using?
pinentry-qt.
> Can you try terminating your manually-launched agent, re-enabling and
> restarting the systemd user service, and then telling gpg-agent to
> update its "startuptty" ?
>
> gpg-connect-agent killagent /bye
> systemctl --user enable --now 'gpg-agent*.socket'
% systemctl --user enable --now 'gpg-agent*.socket'
Failed to enable unit: File gpg-agent\x2a.socket: No such file or directory
Had to do the three of them separately…
> gpg-connect-agent updatestartuptty /bye
>
> then try using gpg-agent for ssh-agent again. does it work?
Yes, that works.
-nik
> Do you have the dbus-user-session package installed?
> What pinentry are you using?
> Can you try terminating your manually-launched agent, re-enabling and
> restarting the systemd user service, and then telling gpg-agent to
> update its "startuptty" ?
>
> gpg-connect-agent killagent /bye
> systemctl --user enable --now 'gpg-agent*.socket'
Failed to enable unit: File gpg-agent\x2a.socket: No such file or directory
Had to do the three of them separately…
> gpg-connect-agent updatestartuptty /bye
>
> then try using gpg-agent for ssh-agent again. does it work?
-nik
Dominik George
Jan 19, 2017, 1:40:03 PM1/19/17
to
> > Do you have the dbus-user-session package installed?
>
> No, I have dbus-x11.
Installing dbus-user-session actually fixes it.
>
> No, I have dbus-x11.
I leave it up to you to decide whether this is a bug or using the ssh
feature is not a standard use of the package.
Maybe you shiould at least Recommend dbus-user-session.
Daniel Kahn Gillmor
Jan 23, 2017, 9:50:03 PM1/23/17
to
Version: 2.1.17-6
On Thu 2017-01-19 13:36:20 -0500, Dominik George wrote:
>> > Do you have the dbus-user-session package installed?
>>
>> No, I have dbus-x11.
>
> Installing dbus-user-session actually fixes it.
>
> I leave it up to you to decide whether this is a bug or using the ssh
> feature is not a standard use of the package.
>
> Maybe you shiould at least Recommend dbus-user-session.
I've put dbus-user-session into the Suggests: for gnupg-agent, and
included some more extensive documentation in
/usr/share/doc/gnupg-agent/README.Debian as well. So i think we can
close https://bugs.debian.org/851440
Thanks for the feedback, Dominik!
--dkg
On Thu 2017-01-19 13:36:20 -0500, Dominik George wrote:
>> > Do you have the dbus-user-session package installed?
>>
>> No, I have dbus-x11.
>
> Installing dbus-user-session actually fixes it.
>
> I leave it up to you to decide whether this is a bug or using the ssh
> feature is not a standard use of the package.
>
> Maybe you shiould at least Recommend dbus-user-session.
included some more extensive documentation in
/usr/share/doc/gnupg-agent/README.Debian as well. So i think we can
close https://bugs.debian.org/851440
Thanks for the feedback, Dominik!
--dkg
0 new messages