12

I'm running Fedora 22. I'm trying to setup GnuPG to have my SSH connections authenticated using my PGP authentication subkey that is located on my Yubikey Neo.

I have a systemd unit starting the gpg-agent as following:

/usr/bin/gpg-agent --homedir=%h/.gnupg --daemon --use-standard-socket

And I have enabled SSH support in the configuration:

enable-ssh-support
pinentry-program /usr/bin/pinentry-gtk

Other parts of the setup include adding the keygrip of my key to the ~/.gnupg/sshcontrol file, adding my public key to the remote host and declaring the environment variables.

Globally looking at the various logs the setup seems to work, I can see that SSH finds the key but is actually failing to sign with it. If I look at the logs from gpg-agent, I can see that it is failing to launch the pinentry program and therefore, not requesting for the PIN code:

2015-07-22 23:23:28 gpg-agent[6758] DBG: error calling pinentry: Ioctl() inappropriate for a device <Pinentry>
2015-07-22 23:23:28 gpg-agent[6758] DBG: chan_8 -> BYE
2015-07-22 23:23:28 gpg-agent[6758] DBG: chan_7 -> CAN
2015-07-22 23:23:28 gpg-agent[6758] DBG: chan_7 <- ERR 100663573 The IPC call was canceled <SCD>
2015-07-22 23:23:28 gpg-agent[6758] smartcard signing failed: Ioctl() inappropriate for a device
2015-07-22 23:23:28 gpg-agent[6758] ssh sign request failed: Ioctl() inappropriate for a device <Pinentry>

What we see here is that when used in combination with SSH, some ioctl call is failing when calling pinentry. However if I run the following:

$ echo "Test" | gpg2 -s

The PIN window is popping up and it's all working fine.

Can you help me understand what's going on with this setup and SSH?

Improve this question
1
  • I was getting a similar "problem with the agent: Inappropriate ioctl for device" error trying to pipe the output of tar to gpg2 on Mac OS X and vigo's answer resolved it for me.
    – Kenny Evitt
    Commented Jul 3, 2016 at 20:26

2 Answers 2

Reset to default
19

Well, this worked for me:

export GPG_TTY=`tty`

add this to your .bashrc or just kick it before using gpg.

Improve this answer
15

I've found the answer on the GPG Website itself. The agent was failing to find on which screen to display the Pinentry window. I just had to put the following in my .*shrc file:

echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2>&1
Improve this answer
2
  • Thank you! This helped to pinpoint the problem (pinentry window not showing up). However, the above command does not work for me. If I do gpg-connect-agent it outputs can't connect to the agent: IPC connect call failed. gpg-agent is running fine and GPG_AGENT_INFO env vars are set up properly.
    – user80379
    Commented Sep 29, 2015 at 12:14
  • Interestingly adding export GPG_AGENT_INFO to .bashrc fixed the above issue with gpg-connect-agent IPC connect call failed. I didn't add this previously because echo $GPG_AGENT_INFO in my shell was fine.. but it turns out it's still required.
    – user80379
    Commented Sep 29, 2015 at 12:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .