gpg-agent ssh-support throwing sign_and_send_pubkey: signing failed for RSA "(none)" from agent: agent refused
I am using Arch Linux and gpg (GnuPG) 2.2.27. Trying to do a ssh-support with gpg, This i used along with git ssh public key authetication. For that i created a pubic key from gpg.
When the socket activation happen and when i check the systemctl status for gpg-agent.
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 4 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 5 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 6 for std socket (/run/user/1000/gnupg/S.gpg-agent)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: listening on: std=6 extra=4 browser=5 ssh=3
Mar 05 13:19:58 vipin-pc gpg-agent[15053]: scdaemon[15053]: pcsc_establish_context failed: no service (0x8010001d)
Mar 05 13:20:17 vipin-pc gpg-agent[15053]: scdaemon[15053]: pcsc_establish_context failed: no service (0x8010001d)
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: failed to unprotect the secret key: Inappropriate ioctl for device
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: failed to read the secret key
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: ssh sign request failed: Inappropriate ioctl for device <Pinentry>
And when i do git push i get below error
sign_and_send_pubkey: signing failed for RSA "(none)" from agent: agent refused operation
remote: Public key authentication failed.
fatal: Could not read from remote repository.
Working case
The command i used is explain below. The only way i can make it work is using below method, with a socket activation or systemd it is not working.
gpg-agent --enable-ssh-support --daemon
the above command produce an output shown below, Execute that output in next command.
SSH_AUTH_SOCK=/run/user/1000/gnupg/d.9e8e8c1bboxm43ocazxnxq5w/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
After that if i tried to do git push, I am able to get prompt and it is working.
How i was able to produce same error of systemd in above method. Steps explain below
In the same command prompt, when i do git push , the prompt I cancel , I am getting same error , what i was getting in systemd
sign_and_send_pubkey: signing failed for RSA "(none)" from agent: agent refused operation remote: Public key authentication failed. fatal: Could not read from remote repository.
All the setup and error explain below using SYSTEMD
Not getting what exactly i am missing. I gone through blog. and tried troubleshoot, not getting exactly what i am missing
Please find my setup and troubleshooting method i used
I use xdg directory specification for folder structures.
using the environment.d folder in ~/.config to load all the environment variables for my systemd process.
Attaching the environment variables below.
#GPG_TTY=$(tty)
GPG_TTY=/dev/pts/0
TERM=linux
#PATH="$(/usr/bin/du -L --exclude=.idea --exclude=archive --exclude=__pycache__ $HOME/.local/bin/vbin| /usr/bin/cut -f2 | /usr/bin/tr '\n' ':')$PATH"
PATH="$HOME/.local/bin/vbin/bspwm:/$HOME/.local/bin/vbin:$PATH"
PATH=$PATH:$HOME/.local/share/npm/bin:$HOME/.local/bin/net.downloadhelper.coapp-1.3.0/bin:$HOME/.local/bin
# default programs:
EDITOR="emsc"
VISUAL="${EDITOR}"
TERMINAL="st"
BROWSER="firefox"
FILE="lf"
STATUSBAR="polybar"
#Other program settings
VCONFIG=${HOME}/.config/vconfig
VBIN=${HOME}/.local/bin/vbin
SUDO_ASKPASS=${VBIN}/dmenupass
ORGPATH=${HOME}/Org
#XDG CONFIG MOVEMENTS
XDG_CONFIG_HOME=${HOME}/.config
XDG_DATA_HOME=${HOME}/.local/share
XDG_CACHE_HOME=${HOME}/.cache
GNUPGHOME=${XDG_DATA_HOME}/gnupg
IPYTHONDIR=${XDG_CONFIG_HOME}/jupyter
JUPYTER_CONFIG_DIR=${XDG_CONFIG_HOME}/jupyter
ZDOTDIR=${XDG_CONFIG_HOME}/.config/zsh
NPM_CONFIG_USERCONFIG=$XDG_CONFIG_HOME/npm/config
LESSKEY=${XDG_CONFIG_HOME}/less/lesskey
GTK2_RC_FILES=${XDG_CONFIG_HOME}/gtk-2.0/gtkrc
_JAVA_OPTIONS=-Djava.util.prefs.userRoot=${XDG_CONFIG_HOME}/java
ANDROID_SDK_HOME=${XDG_CONFIG_HOME}/android
ADB_VENDOR_KEY=${XDG_CONFIG_HOME}/android
WINEPREFIX=${XDG_DATA_HOME}/wineprefixes/default
HISTFILE=${XDG_DATA_HOME}/zsh/history
_Z_DATA=${XDG_DATA_HOME}/.z
GOPATH=${XDG_DATA_HOME}/go
GNUPGHOME=${XDG_DATA_HOME}/gnupg
PASSWORD_STORE_DIR=${XDG_DATA_HOME}/pass
VSCODE_PORTABLE=${XDG_DATA_HOME}/vscode
ANDROID_AVD_HOME=${XDG_DATA_HOME}/android
ANDROID_EMULATOR_HOME=${XDG_DATA_HOME}/android
NUGET_PACKAGES=${XDG_CACHE_HOME}/NuGetPackages
PYLINTHOME=${XDG_CACHE_HOME}/pylint
LESSHISTFILE=${XDG_CACHE_HOME}/less/history
CUDA_CACHE_PATH=${XDG_CACHE_HOME}/nv
SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"
CM_SELECTIONS="clipboard"
CM_DEBUG=0
CM_OUTPUT_CLIP=0
CM_MAX_CLIPS=100
CM_LAUNCHER="rofi"
ANDROID_ADB_SERVER_PORT=8080
LF_ICONS="\
di=:\
fi=:\
ln=:\
or=:\
ex=:\
*.c=:\
*.cc=:\
*.clj=:\
*.coffee=:\
*.cpp=:\
*.css=:\
*.d=:\
*.dart=:\
*.erl=:\
*.exs=:\
*.fs=:\
*.go=:\
*.h=:\
*.hh=:\
*.hpp=:\
*.hs=:\
*.html=:\
*.java=:\
*.jl=:\
*.js=:\
*.json=:\
*.lua=:\
*.md=:\
*.php=:\
*.pl=:\
*.pro=:\
*.py=:\
*.rb=:\
*.rs=:\
*.scala=:\
*.ts=:\
*.vim=:\
*.cmd=:\
*.ps1=:\
*.sh=:\
*.bash=:\
*.zsh=:\
*.fish=:\
*.tar=:\
*.tgz=:\
*.arc=:\
*.arj=:\
*.taz=:\
*.lha=:\
*.lz4=:\
*.lzh=:\
*.lzma=:\
*.tlz=:\
*.txz=:\
*.tzo=:\
*.t7z=:\
*.zip=:\
*.z=:\
*.dz=:\
*.gz=:\
*.lrz=:\
*.lz=:\
*.lzo=:\
*.xz=:\
*.zst=:\
*.tzst=:\
*.bz2=:\
*.bz=:\
*.tbz=:\
*.tbz2=:\
*.tz=:\
*.deb=:\
*.rpm=:\
*.jar=:\
*.war=:\
*.ear=:\
*.sar=:\
*.rar=:\
*.alz=:\
*.ace=:\
*.zoo=:\
*.cpio=:\
*.7z=:\
*.rz=:\
*.cab=:\
*.wim=:\
*.swm=:\
*.dwm=:\
*.esd=:\
*.jpg=:\
*.jpeg=:\
*.mjpg=:\
*.mjpeg=:\
*.gif=:\
*.bmp=:\
*.pbm=:\
*.pgm=:\
*.ppm=:\
*.tga=:\
*.xbm=:\
*.xpm=:\
*.tif=:\
*.tiff=:\
*.png=:\
*.svg=:\
*.svgz=:\
*.mng=:\
*.pcx=:\
*.mov=:\
*.mpg=:\
*.mpeg=:\
*.m2v=:\
*.mkv=:\
*.webm=:\
*.ogm=:\
*.mp4=:\
*.m4v=:\
*.mp4v=:\
*.vob=:\
*.qt=:\
*.nuv=:\
*.wmv=:\
*.asf=:\
*.rm=:\
*.rmvb=:\
*.flc=:\
*.avi=:\
*.fli=:\
*.flv=:\
*.gl=:\
*.dl=:\
*.xcf=:\
*.xwd=:\
*.yuv=:\
*.cgm=:\
*.emf=:\
*.ogv=:\
*.ogx=:\
*.aac=:\
*.au=:\
*.flac=:\
*.m4a=:\
*.mid=:\
*.midi=:\
*.mka=:\
*.mp3=:\
*.mpc=:\
*.ogg=:\
*.ra=:\
*.wav=:\
*.oga=:\
*.opus=:\
*.spx=:\
*.xspf=:\
*.pdf=:\
*.nix=:\
"
In the above environment setting , i set the GNUPGHOME=${XDG_DATA_HOME}/gnupg
permision on my GNUPGHOME
total 84K
drwx------ 2 vipin vipin 4.0K Nov 8 18:50 openpgp-revocs.d
drwx------ 2 vipin vipin 4.0K Mar 4 00:22 private-keys-v1.d
-rw------- 1 vipin vipin 105 Mar 5 10:10 gpg-agent.conf
-rw-r--r-- 1 vipin vipin 16K Mar 4 00:23 pubring.kbx
-rw-r--r-- 1 vipin vipin 41 Mar 4 00:41 sshcontrol
-rw-r--r-- 1 vipin vipin 48K Mar 4 00:23 tofu.db
-rw------- 1 vipin vipin 1.3K Nov 8 18:50 trustdb.gpg
The /home/vipin/.local/share/gnupg/gpg-agent.conf file contain below information.
default-cache-ttl 240
enable-ssh-support
pinentry-program /usr/bin/pinentry-gtk-2
pinentry-mode loopback
Pinentry program files and permission
-rwxr-xr-x 1 root root 122 Nov 13 2019 /usr/bin/pinentry
-rwxr-xr-x 1 root root 71K Nov 13 2019 /usr/bin/pinentry-curses
-rwxr-xr-x 1 root root 63K Nov 13 2019 /usr/bin/pinentry-emacs
-rwxr-xr-x 1 root root 79K Nov 13 2019 /usr/bin/pinentry-gnome3
-rwxr-xr-x 1 root root 91K Nov 13 2019 /usr/bin/pinentry-gtk-2
-rwxr-xr-x 1 root root 127K Nov 13 2019 /usr/bin/pinentry-qt
-rwxr-xr-x 1 root root 67K Nov 13 2019 /usr/bin/pinentry-tty
SSH socket, added in the environment variable.
SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"
System service at /home/vipin/.local/share/systemd/user/ and using socket activation to start gpg-agent.service
gpg-agent-browser.socket
gpg-agent.socket
gpg-agent-extra.socket
gpg-agent-ssh.socket
gpg-agent.service
gpg-agent.service
[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
Requires=gpg-agent.socket
[Service]
ExecStart=/usr/bin/gpg-agent --supervised --enable-ssh-support
ExecReload=/usr/bin/gpgconf --reload gpg-agent
gpg-agent.socket
[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent
FileDescriptorName=std
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target
gpg-agent-ssh.socket
[Unit]
Description=GnuPG cryptographic agent (ssh-agent emulation)
Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.ssh
FileDescriptorName=ssh
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target
gpg-agent-extra.socket
[Unit]
Description=GnuPG cryptographic agent and passphrase cache (restricted)
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.extra
FileDescriptorName=extra
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target
gpg-agent-browser.socket
[Unit]
Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.browser
FileDescriptorName=browser
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target
After configuring above setting i did a new sub-key in gpg for authentication.
Then executed the command and created sshcontrol at /home/vipin/.local/share/gnupg/ copied only the Keygrip for authentication.
gpg --list-keys --with-keygrip
when execute systemctl --user status gpg-agent i can see some error getting trigger
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 4 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 5 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 6 for std socket (/run/user/1000/gnupg/S.gpg-agent)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: listening on: std=6 extra=4 browser=5 ssh=3
Mar 05 13:19:58 vipin-pc gpg-agent[15053]: scdaemon[15053]: pcsc_establish_context failed: no service (0x8010001d)
Mar 05 13:20:17 vipin-pc gpg-agent[15053]: scdaemon[15053]: pcsc_establish_context failed: no service (0x8010001d)
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: failed to unprotect the secret key: Inappropriate ioctl for device
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: failed to read the secret key
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: ssh sign request failed: Inappropriate ioctl for device <Pinentry>
But when I tried to do ssh-add -l . I can see connection
4096 SHA256: (none) (RSA) /0.0s
I also did ps -eaf |grep gpg-agent I can see gpg-agent using socket activation.
vipin 12147 573 0 12:00 ? 00:00:00 /usr/bin/gpg-agent --supervised --enable-ssh-support
When I tried to gpg --export-ssh-key VipinBalakrishnan. I am able to see the public key exported.
I used above public key in azuredev apps. So that I can used SSH- key to authenticate.
After configuring everything. When i tried to
git push
Getting below error
sign_and_send_pubkey: signing failed for RSA "(none)" from agent: agent refused operation
remote: Public key authentication failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I gone through the Arch wiki link https://wiki.archlinux.org/index.php/GnuPG
I gone through the troubleshoot section. But not getting any clue. Some blog told it is not identify the tty. For that i executed
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
Output
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established
But the above command create different process of gpg-agent without supervised mode. It is pursing daemon. And the socket will be different. When i do ps -eaf |grep gpg-agent I can see it is in daemon mode.
vipin 13327 1 0 12:52 ? 00:00:00 gpg-agent --homedir /home/vipin/.local/share/gnupg --use-standard-socket --daemon
Vipin0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0