| Yubico Forum https://forum.yubico.com/ |
|
| Using GPG SSH authentication from TTY https://forum.yubico.com/viewtopic.php?f=26&t=1889 |
Page 1 of 1 |
| Author: | mfaine [ Sun May 24, 2015 6:12 am ] |
| Post subject: | Using GPG SSH authentication from TTY |
This may be more of an Ubuntu/GPG question than a Yubikey question but while on the desktop connecting via SSH to my NAS prompts me for my pin and everything works just fine but when I switch to a TTY and try connecting I'm only presented with password as an option. Can anyone confirm that it's just my setup, and/or provide solutions or suggestions for diagnosing the cause? |
|
| Author: | zviratko [ Tue May 26, 2015 8:47 pm ] |
| Post subject: | Re: Using GPG SSH authentication from TTY |
If I understand it correctly you switch to a physical console instead of using a terminal in X? Typically if ssh-agent needs your input it starts an app that asks for PIN, and this app shows up on $DISPLAY. The $DISPLAY it shows on is inherited from the ssh-agent process when it is started. The same goes for gpg-agent. I am actually not sure if ssh-agent/gpg-agent has to be the one starting pinentry, ssh-add certainly works and asks for passphrase inline, but I guess this is your problem - on a physical TTY there is no way to pop up a window to enter your PIN (it might actually be showing on the original $DISPLAY if it's running). You could get around this by either adding the key with ssh-add (not sure how that plays with gpg-agent on Ubuntu), using a PKCS#11 provider directly with ssh (ssh -I /path/to/lib.so) - again not sure how that works with GPG keys, there's probably no PKCS#11 provider for that? Or you can enter PIN while running X and if caching is enabled it will work for some time afterwards without asking. Another possibility (and a strong one) is that you don't actually have ssh-agent available in TTY - X session sets up the environment including SSH_AGENT_SOCK for you, in TTY you need to use something like "keychain" or a different mechanism (everybody has his own script I guess) to set that up. You can verify that ssh-agent is available by running "echo $SSH_AUTH_SOCK" in the TTY, if it is set then try talking to ssh-agent with "ssh-add -L". Try adding an encrypted private key (generate one) and see how it asks for PIN... I haven't used Ubuntu on desktop for quite some time, but I think they used gnome-keyring as an ssh-agent - does it handle gpg too nowadays? I don't know... |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|