gpg-agent refuses SSH keys with ssh-add reporting “agent refused operation”
I'm using openssh7.5p1 and gnupg 2.1.21 on arch linux (these are the default versions that come with arch). I would like to use gpg-agent as an ssh agent. I put the following in my ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-qt
enable-ssh-support
Arch automatically starts a gpg-agent from systemd, so I set
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
When I run ssh-add -l, it reports no identities and ps reports a gpg-agent --supervised process as I would expect.
Unfortunately, when I run ssh-add, no matter what the key type, it doesn't work. Here is an example of how I tried dsa:
$ ssh-keygen -f testkey -t dsa -N ''
Generating public/private dsa key pair.
Your identification has been saved in testkey.
Your public key has been saved in testkey.pub.
$ ssh-add testkey
Could not add identity "testkey": agent refused operation
All other gpg functions work properly (encrypting/decrypting/signing). Also, the keys I generate work fine if I use them directly with ssh, and they work properly if I run the ssh-agent that came with openssh.
The documentation says that ssh-add should add keys to ~/.gnupg/sshcontrol, but obviously nothing is happening.
My question: What's the easiest way to load a key generated by openssh's ssh-keygen into gpg-agent, and can someone please cut and paste a terminal session showing how this works?
openssh ssh-agent gpg-agent
asked Jun 19 '17 at 3:05
user3188445user3188445
2,595827
add a comment |
I'm using openssh7.5p1 and gnupg 2.1.21 on arch linux (these are the default versions that come with arch). I would like to use gpg-agent as an ssh agent. I put the following in my ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-qt
enable-ssh-support
Arch automatically starts a gpg-agent from systemd, so I set
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
When I run ssh-add -l, it reports no identities and ps reports a gpg-agent --supervised process as I would expect.
Unfortunately, when I run ssh-add, no matter what the key type, it doesn't work. Here is an example of how I tried dsa:
$ ssh-keygen -f testkey -t dsa -N ''
Generating public/private dsa key pair.
Your identification has been saved in testkey.
Your public key has been saved in testkey.pub.
$ ssh-add testkey
Could not add identity "testkey": agent refused operation
All other gpg functions work properly (encrypting/decrypting/signing). Also, the keys I generate work fine if I use them directly with ssh, and they work properly if I run the ssh-agent that came with openssh.
The documentation says that ssh-add should add keys to ~/.gnupg/sshcontrol, but obviously nothing is happening.
My question: What's the easiest way to load a key generated by openssh's ssh-keygen into gpg-agent, and can someone please cut and paste a terminal session showing how this works?
openssh ssh-agent gpg-agent
asked Jun 19 '17 at 3:05
user3188445user3188445
2,595827
add a comment |
I'm using openssh7.5p1 and gnupg 2.1.21 on arch linux (these are the default versions that come with arch). I would like to use gpg-agent as an ssh agent. I put the following in my ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-qt
enable-ssh-support
Arch automatically starts a gpg-agent from systemd, so I set
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
When I run ssh-add -l, it reports no identities and ps reports a gpg-agent --supervised process as I would expect.
Unfortunately, when I run ssh-add, no matter what the key type, it doesn't work. Here is an example of how I tried dsa:
$ ssh-keygen -f testkey -t dsa -N ''
Generating public/private dsa key pair.
Your identification has been saved in testkey.
Your public key has been saved in testkey.pub.
$ ssh-add testkey
Could not add identity "testkey": agent refused operation
All other gpg functions work properly (encrypting/decrypting/signing). Also, the keys I generate work fine if I use them directly with ssh, and they work properly if I run the ssh-agent that came with openssh.
The documentation says that ssh-add should add keys to ~/.gnupg/sshcontrol, but obviously nothing is happening.
My question: What's the easiest way to load a key generated by openssh's ssh-keygen into gpg-agent, and can someone please cut and paste a terminal session showing how this works?
openssh ssh-agent gpg-agent
asked Jun 19 '17 at 3:05
user3188445user3188445
2,595827
I'm using openssh7.5p1 and gnupg 2.1.21 on arch linux (these are the default versions that come with arch). I would like to use gpg-agent as an ssh agent. I put the following in my ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-qt
enable-ssh-support
Arch automatically starts a gpg-agent from systemd, so I set
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
When I run ssh-add -l, it reports no identities and ps reports a gpg-agent --supervised process as I would expect.
Unfortunately, when I run ssh-add, no matter what the key type, it doesn't work. Here is an example of how I tried dsa:
$ ssh-keygen -f testkey -t dsa -N ''
Generating public/private dsa key pair.
Your identification has been saved in testkey.
Your public key has been saved in testkey.pub.
$ ssh-add testkey
Could not add identity "testkey": agent refused operation
All other gpg functions work properly (encrypting/decrypting/signing). Also, the keys I generate work fine if I use them directly with ssh, and they work properly if I run the ssh-agent that came with openssh.
The documentation says that ssh-add should add keys to ~/.gnupg/sshcontrol, but obviously nothing is happening.
My question: What's the easiest way to load a key generated by openssh's ssh-keygen into gpg-agent, and can someone please cut and paste a terminal session showing how this works?
openssh ssh-agent gpg-agent
openssh ssh-agent gpg-agent
asked Jun 19 '17 at 3:05
user3188445user3188445
2,595827
asked Jun 19 '17 at 3:05
user3188445user3188445
2,595827
asked Jun 19 '17 at 3:05
user3188445user3188445
2,595827
asked Jun 19 '17 at 3:05
user3188445user3188445
2,595827
asked Jun 19 '17 at 3:05
user3188445user3188445
2,595827
2,595827
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The answer was apparently to run:
echo UPDATESTARTUPTTY | gpg-connect-agent
I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.
While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.
answered Jun 19 '17 at 4:55
user3188445user3188445
2,595827
add a comment |
In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add triggers when used with gpg-agent.
Removing pinentry-emacs and installing the GTK pinentry solved the problem here.
I hope this can help someone! The error message sure didn't give me any clue.
answered 4 mins ago
user30747user30747
1112
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f371901%2fgpg-agent-refuses-ssh-keys-with-ssh-add-reporting-agent-refused-operation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The answer was apparently to run:
echo UPDATESTARTUPTTY | gpg-connect-agent
I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.
While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.
answered Jun 19 '17 at 4:55
user3188445user3188445
2,595827
add a comment |
The answer was apparently to run:
echo UPDATESTARTUPTTY | gpg-connect-agent
I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.
While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.
answered Jun 19 '17 at 4:55
user3188445user3188445
2,595827
add a comment |
The answer was apparently to run:
echo UPDATESTARTUPTTY | gpg-connect-agent
I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.
While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.
answered Jun 19 '17 at 4:55
user3188445user3188445
2,595827
The answer was apparently to run:
echo UPDATESTARTUPTTY | gpg-connect-agent
I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.
While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.
answered Jun 19 '17 at 4:55
user3188445user3188445
2,595827
answered Jun 19 '17 at 4:55
user3188445user3188445
2,595827
answered Jun 19 '17 at 4:55
user3188445user3188445
2,595827
answered Jun 19 '17 at 4:55
user3188445user3188445
2,595827
2,595827
add a comment |
add a comment |
In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add triggers when used with gpg-agent.
Removing pinentry-emacs and installing the GTK pinentry solved the problem here.
I hope this can help someone! The error message sure didn't give me any clue.
answered 4 mins ago
user30747user30747
1112
add a comment |
In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add triggers when used with gpg-agent.
Removing pinentry-emacs and installing the GTK pinentry solved the problem here.
I hope this can help someone! The error message sure didn't give me any clue.
answered 4 mins ago
user30747user30747
1112
add a comment |
In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add triggers when used with gpg-agent.
Removing pinentry-emacs and installing the GTK pinentry solved the problem here.
I hope this can help someone! The error message sure didn't give me any clue.
answered 4 mins ago
user30747user30747
1112
In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add triggers when used with gpg-agent.
Removing pinentry-emacs and installing the GTK pinentry solved the problem here.
I hope this can help someone! The error message sure didn't give me any clue.
answered 4 mins ago
user30747user30747
1112
answered 4 mins ago
user30747user30747
1112
answered 4 mins ago
user30747user30747
1112
answered 4 mins ago
user30747user30747
1112
1112
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f371901%2fgpg-agent-refuses-ssh-keys-with-ssh-add-reporting-agent-refused-operation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
