[opensuse-factory] Changes in gpg-agent / Plasma? SSH-Key no longer available in gpg-agent...
Hi all, was there a change recently that affects gpg-agent in Plasma? I have configured my gpg-agent to have ssh support (enable-ssh-support in ~/.gnupg/gpg-agent.conf) and normally I get a plasma pinentry window that asks for the password to unlock my SSH key in GPG-agent. No nothing like that, just being asked on the CLI and the key is not available in "ssh-add -l" afterwards. Fallout of the nsswitch thingy? I just noticed this today, while I tried out Plasma+Wayland. Now it is no longer working in Plasma (without Wayland), too. I am currently on 20200307, but it worked the last couple of days after installation of that snapshot, so I am puzzled. I cleaned up some rpmnew files yesterday, but there was only zypper, firewalld, some libvirt things and of course nsswitch. Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/12/20 4:23 AM, Johannes Kastl wrote:
was there a change recently that affects gpg-agent in Plasma?
I don't think so.
I just noticed this today, while I tried out Plasma+Wayland. Now it is no longer working in Plasma (without Wayland), too.
That's your recent change -- using Wayland. With Wayland, gpg-agent is not automatically started as part of your desktop startup. Instead, it is started on demand. The effect is that it cannot share environment variables with your desktop. Software that uses gpg-agent depends on the socket being in a standard place. But ssh clients don't know about that. With X11, gpg-agent is still started as part of session startup. If you login with Wayland, and then use a gpg command, gpg-agent will be started at that time. If you now logout, and login with X11, the left-over gpg-agent will still be running and will block the start of gpg-agent as part of your X11 session. So maybe try rebooting and then login to X11 before you conclude that it isn't working there. There's probably a way to start gpg-agent with a script in "$HOME/.config/plasma-workspace/env" so that it shares its environment with your desktop session. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEv7/MJoKYXv2p0PaIZJcsjNEnCIUFAl5qVt8ACgkQZJcsjNEn CIXCIQf/QZHF4bias6UbxWiHGndy1s41Lp5npRM9/zwrt7EQ4Ks2OntsVOr5lbpW 5CYKfS8EIm5p2hMAMx4/0tI8Ti04S0TRc/bQOBCmI2d8P7xIrzTXoujQRNwnjRjF +P5jUXnWigOx/hha8y/68Qy1hNARD94lpuMmXc7ZUOE1nhvxOLzvHF4hJf6Kla4Q pTAIJhBsrZRtbMDTN7+wQWuJCoKYuT6KsNaFNDhJx3uW/JmfyGdZqpNmtLrgDBlK o81VN1p1UbxKjaJ+iQ9K/y6I+oPz+1tdg3lFcge2sSlKSINCD0u7cdUikFU2Tfcg XKKyMmMi9Xu1FtfZjK5/77nq475hBw== =dLVD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
12.03.2020 18:36, Neil Rickert пишет:
On 3/12/20 4:23 AM, Johannes Kastl wrote:
was there a change recently that affects gpg-agent in Plasma?
I don't think so.
I just noticed this today, while I tried out Plasma+Wayland. Now it is no longer working in Plasma (without Wayland), too.
That's your recent change -- using Wayland.
With Wayland, gpg-agent is not automatically started as part of your desktop startup. Instead, it is started on demand. The effect is that it cannot share environment variables with your desktop. Software that uses gpg-agent depends on the socket being in a standard place. But ssh clients don't know about that.
If it were the only problem, it would be possible to set SSH_AUTH_SOCK to "standard place" and be done with it. The real problem is that ssh does not know how to auto-start gpg-agent on demand.
With X11, gpg-agent is still started as part of session startup.
If you login with Wayland, and then use a gpg command, gpg-agent will be started at that time. If you now logout, and login with X11, the left-over gpg-agent will still be running and will block the start of gpg-agent as part of your X11 session. So maybe try rebooting and then login to X11 before you conclude that it isn't working there.
There's probably a way to start gpg-agent with a script in "$HOME/.config/plasma-workspace/env" so that it shares its environment with your desktop session.
Alternative approach is to use systemd socket activation. gpg ships with example units and they are available in /usr/share/doc/packages/gpg2/examples/systemd-user. There is also README describing how to use these files. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi Andrei, On 12.03.20 at 20:09 Andrei Borzenkov wrote:
Alternative approach is to use systemd socket activation. gpg ships with example units and they are available in /usr/share/doc/packages/gpg2/examples/systemd-user. There is also README describing how to use these files.
Uuuuh, that sounds interesting. Johannes (off looking how to disable the gpg-agent start in KDE PLasma...) -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
On 12.03.20 at 21:06 Johannes Kastl wrote:
Johannes (off looking how to disable the gpg-agent start in KDE PLasma...)
Apparently this is being handled in /etc/X11/xdm/scripts/09-ssh-vars and /etc/X11/xdm/scripts/10-gpg-agent, at least that were the only places I found so far. Setting usessh and usegpg to no. Enable the systemd user sockets. Only thing I had to do was export SSH_AUTH_SOCK pointing to ~/.ssh/ssh_auth_sock, that I created as a link to /run/user/1000/gnupg/S.gpg-agent.ssh. Now ssh-agent and gpg-agent are fine, I am asked for a passphrase when trying to use my SSH key. Next stop: Wayland. Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
Hi, Am 12.03.20 um 22:14 schrieb Johannes Kastl:
On 12.03.20 at 21:06 Johannes Kastl wrote:
Johannes (off looking how to disable the gpg-agent start in KDE PLasma...)
Apparently this is being handled in /etc/X11/xdm/scripts/09-ssh-vars and /etc/X11/xdm/scripts/10-gpg-agent, at least that were the only places I found so far.
Setting usessh and usegpg to no. Enable the systemd user sockets. Only thing I had to do was export SSH_AUTH_SOCK pointing to ~/.ssh/ssh_auth_sock, that I created as a link to /run/user/1000/gnupg/S.gpg-agent.ssh.
Now ssh-agent and gpg-agent are fine, I am asked for a passphrase when trying to use my SSH key.
Next stop: Wayland.
I was also running into gpg/ssh-agent issues when I switched to wayland. The outcome so far was https://bugzilla.suse.com/show_bug.cgi?id=1164872 I do not understand why the quite well working X11 setup is not used (similarly) for a wayland session, Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Mar 12, 2020 at 23:06, Wolfgang Rosenauer <wolfgang@rosenauer.org> wrote:
Hi,
Am 12.03.20 um 22:14 schrieb Johannes Kastl:
On 12.03.20 at 21:06 Johannes Kastl wrote:
Johannes (off looking how to disable the gpg-agent start in KDE PLasma...)
Apparently this is being handled in /etc/X11/xdm/scripts/09-ssh-vars and /etc/X11/xdm/scripts/10-gpg-agent, at least that were the only places I found so far.
Setting usessh and usegpg to no. Enable the systemd user sockets. Only thing I had to do was export SSH_AUTH_SOCK pointing to ~/.ssh/ssh_auth_sock, that I created as a link to /run/user/1000/gnupg/S.gpg-agent.ssh.
Now ssh-agent and gpg-agent are fine, I am asked for a passphrase when trying to use my SSH key.
Next stop: Wayland.
I was also running into gpg/ssh-agent issues when I switched to wayland. The outcome so far was https://bugzilla.suse.com/show_bug.cgi?id=1164872
I do not understand why the quite well working X11 setup is not used (similarly) for a wayland session,
This is a twofold problem from the packaging point of view at least. Non XDM specific scripts were very often installed in XDM scripts directory, which means that every desktop has to have XDM installed for no particular reason. If instead we used profile.d and xinit as the source of those scripts, we could avoid installing XDM and have the ability to use some of those scripts under Wayland. Now just somebody has to do it ;) LCP [Stasiek] https://lcp.world -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 3/13/20 10:11 AM, Stasiek Michalski wrote:
On Thu, Mar 12, 2020 at 23:06, Wolfgang Rosenauer <wolfgang@rosenauer.org> wrote:
Hi,
Am 12.03.20 um 22:14 schrieb Johannes Kastl:
On 12.03.20 at 21:06 Johannes Kastl wrote:
Johannes (off looking how to disable the gpg-agent start in KDE PLasma...)
Apparently this is being handled in /etc/X11/xdm/scripts/09-ssh-vars and /etc/X11/xdm/scripts/10-gpg-agent, at least that were the only places I found so far.
Setting usessh and usegpg to no. Enable the systemd user sockets. Only thing I had to do was export SSH_AUTH_SOCK pointing to ~/.ssh/ssh_auth_sock, that I created as a link to /run/user/1000/gnupg/S.gpg-agent.ssh.
Now ssh-agent and gpg-agent are fine, I am asked for a passphrase when trying to use my SSH key.
Next stop: Wayland.
I was also running into gpg/ssh-agent issues when I switched to wayland. The outcome so far was https://bugzilla.suse.com/show_bug.cgi?id=1164872
I do not understand why the quite well working X11 setup is not used (similarly) for a wayland session,
This is a twofold problem from the packaging point of view at least. Non XDM specific scripts were very often installed in XDM scripts directory, which means that every desktop has to have XDM installed for no particular reason. If instead we used profile.d and xinit as the source of those scripts, we could avoid installing XDM and have the ability to use some of those scripts under Wayland.
Many of them would probably make more sense running as a systemd user service. We'd probably need to check that our presets stuff works with user services. For things like this one that have socket activation we really should just be configuring that right out of the box.
Now just somebody has to do it ;)
Yep -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
Hi Wolfgang, On 12.03.20 at 23:06 Wolfgang Rosenauer wrote:
Am 12.03.20 um 22:14 schrieb Johannes Kastl:
Next stop: Wayland.
I was also running into gpg/ssh-agent issues when I switched to wayland. The outcome so far was https://bugzilla.suse.com/show_bug.cgi?id=1164872
I do not understand why the quite well working X11 setup is not used (similarly) for a wayland session,
I just tried what is now working[tm] with the non-Wayland KDE Plasma session (socket activated gpg-agent, SSH_AUTH_SOCK set manually). # non-Wayland Plasma In non-Wayland I get the popup asking to unlock my gpg key (needed for kwallet to allow Nextcloud passwords and WIFI passwords and such), and that seems to work (even though I have to dismiss password prompts for WIFI). After half a minute WIFI is connecting, nextcloud is connecting etc. "ssh-add -l" shows my key. I can use my ssh key and get prompted by gpg-agent to enter the passphrase used to lock that ssh key in gpg-agent. In Plasma Wayland I get the popup asking to unlock my gpg key (needed for kwallet to allow Nextcloud passwords and WIFI passwords and such), and that seems to work. "ssh-add -l" shows my key. Using my ssh key results in an error, though, and I get asked for my password. :-( Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
Hi Neil, On 12.03.20 at 16:36 Neil Rickert wrote:
On 3/12/20 4:23 AM, Johannes Kastl wrote:
That's your recent change -- using Wayland.
With Wayland, gpg-agent is not automatically started as part of your desktop startup. Instead, it is started on demand. The effect is that it cannot share environment variables with your desktop. Software that uses gpg-agent depends on the socket being in a standard place. But ssh clients don't know about that.
With X11, gpg-agent is still started as part of session startup.
If you login with Wayland, and then use a gpg command, gpg-agent will be started at that time. If you now logout, and login with X11, the left-over gpg-agent will still be running and will block the start of gpg-agent as part of your X11 session. So maybe try rebooting and then login to X11 before you conclude that it isn't working there.
Sounds reasonable. And yes, after a reboot it works like before. Thing is, I thought I had done a reboot after trying Wayland... Anyway, solved... Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
participants (6)
-
Andrei Borzenkov -
Johannes Kastl -
Neil Rickert -
Simon Lees -
Stasiek Michalski -
Wolfgang Rosenauer