Using a GnuPG crypted RSA key for SSH

Werner Koch wk at gnupg.org
Thu May 2 19:29:50 CEST 2024


On Thu,  2 May 2024 16:58, Matěj Cepl said:

> rather dubious: systemd can certainly manage a dependence on
> shared resource, and concurrent running of two processes at

Right.  However, systemd does not use the same locking scheme as gnupg
uses to avoid duplicate daemon startup.  The gnupg internal startup of
required daemons has been there before systemd was invented and it needs
to work on all platforms - not just on Linux.  Having different schemes
here is major problem but the former Debian maintainer (dkg) promised to
take care of all problems due to his patches which added that systemd
startup (--supervised) feature.

Given that history I consider it unlikely that Debian will ever provide
an enhanced ssh version which can be configured to start its ssh-agent
on connection failure.  Thus we need to keep on using the
updatestartuptty thing when using a curses pinentry or a remote X
session.

The updatestartup thing does actually two things: Make sure that
gpg-agent is launched (most other commands will do this also) and, more
important, to tell gpg-agent something about the current environment
(GPG_TTY, DISPLAY, etc).  I have a patch somewhere to extend the
ssh-agent-protocol to convey envvars but more or less forgot about it.
it would be a useful things also for other ssh-agent's

> I still haven’t investigated this piece of Werner’s advice:
>
>> Using no-autostart in the common.conf might be useful.  We use it always
>> when running a remote gpg.

That is easy: On a remote box you don't want to run gpg-agent because
this shall instead be handled by ssh socket forwarding.  Without such an
option running gpg might start gpg-agent on the remote box and thus take
over the forwarded socket.  Instead of adding "no-autostart" to all
config files of gnupg, adding this to common.conf will be sufficient.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240502/ce10ddb0/attachment-0001.sig>


More information about the Gnupg-users mailing list