gpg-agent refuses SSH keys with ssh-add reporting “agent refused operation”












6















I'm using openssh7.5p1 and gnupg 2.1.21 on arch linux (these are the default versions that come with arch). I would like to use gpg-agent as an ssh agent. I put the following in my ~/.gnupg/gpg-agent.conf:



pinentry-program /usr/bin/pinentry-qt
enable-ssh-support


Arch automatically starts a gpg-agent from systemd, so I set



export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"


When I run ssh-add -l, it reports no identities and ps reports a gpg-agent --supervised process as I would expect.



Unfortunately, when I run ssh-add, no matter what the key type, it doesn't work. Here is an example of how I tried dsa:



$ ssh-keygen -f testkey -t dsa -N ''
Generating public/private dsa key pair.
Your identification has been saved in testkey.
Your public key has been saved in testkey.pub.
$ ssh-add testkey
Could not add identity "testkey": agent refused operation


All other gpg functions work properly (encrypting/decrypting/signing). Also, the keys I generate work fine if I use them directly with ssh, and they work properly if I run the ssh-agent that came with openssh.



The documentation says that ssh-add should add keys to ~/.gnupg/sshcontrol, but obviously nothing is happening.



My question: What's the easiest way to load a key generated by openssh's ssh-keygen into gpg-agent, and can someone please cut and paste a terminal session showing how this works?










share|improve this question



























    6















    I'm using openssh7.5p1 and gnupg 2.1.21 on arch linux (these are the default versions that come with arch). I would like to use gpg-agent as an ssh agent. I put the following in my ~/.gnupg/gpg-agent.conf:



    pinentry-program /usr/bin/pinentry-qt
    enable-ssh-support


    Arch automatically starts a gpg-agent from systemd, so I set



    export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"


    When I run ssh-add -l, it reports no identities and ps reports a gpg-agent --supervised process as I would expect.



    Unfortunately, when I run ssh-add, no matter what the key type, it doesn't work. Here is an example of how I tried dsa:



    $ ssh-keygen -f testkey -t dsa -N ''
    Generating public/private dsa key pair.
    Your identification has been saved in testkey.
    Your public key has been saved in testkey.pub.
    $ ssh-add testkey
    Could not add identity "testkey": agent refused operation


    All other gpg functions work properly (encrypting/decrypting/signing). Also, the keys I generate work fine if I use them directly with ssh, and they work properly if I run the ssh-agent that came with openssh.



    The documentation says that ssh-add should add keys to ~/.gnupg/sshcontrol, but obviously nothing is happening.



    My question: What's the easiest way to load a key generated by openssh's ssh-keygen into gpg-agent, and can someone please cut and paste a terminal session showing how this works?










    share|improve this question

























      6












      6








      6


      3






      I'm using openssh7.5p1 and gnupg 2.1.21 on arch linux (these are the default versions that come with arch). I would like to use gpg-agent as an ssh agent. I put the following in my ~/.gnupg/gpg-agent.conf:



      pinentry-program /usr/bin/pinentry-qt
      enable-ssh-support


      Arch automatically starts a gpg-agent from systemd, so I set



      export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"


      When I run ssh-add -l, it reports no identities and ps reports a gpg-agent --supervised process as I would expect.



      Unfortunately, when I run ssh-add, no matter what the key type, it doesn't work. Here is an example of how I tried dsa:



      $ ssh-keygen -f testkey -t dsa -N ''
      Generating public/private dsa key pair.
      Your identification has been saved in testkey.
      Your public key has been saved in testkey.pub.
      $ ssh-add testkey
      Could not add identity "testkey": agent refused operation


      All other gpg functions work properly (encrypting/decrypting/signing). Also, the keys I generate work fine if I use them directly with ssh, and they work properly if I run the ssh-agent that came with openssh.



      The documentation says that ssh-add should add keys to ~/.gnupg/sshcontrol, but obviously nothing is happening.



      My question: What's the easiest way to load a key generated by openssh's ssh-keygen into gpg-agent, and can someone please cut and paste a terminal session showing how this works?










      share|improve this question














      I'm using openssh7.5p1 and gnupg 2.1.21 on arch linux (these are the default versions that come with arch). I would like to use gpg-agent as an ssh agent. I put the following in my ~/.gnupg/gpg-agent.conf:



      pinentry-program /usr/bin/pinentry-qt
      enable-ssh-support


      Arch automatically starts a gpg-agent from systemd, so I set



      export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"


      When I run ssh-add -l, it reports no identities and ps reports a gpg-agent --supervised process as I would expect.



      Unfortunately, when I run ssh-add, no matter what the key type, it doesn't work. Here is an example of how I tried dsa:



      $ ssh-keygen -f testkey -t dsa -N ''
      Generating public/private dsa key pair.
      Your identification has been saved in testkey.
      Your public key has been saved in testkey.pub.
      $ ssh-add testkey
      Could not add identity "testkey": agent refused operation


      All other gpg functions work properly (encrypting/decrypting/signing). Also, the keys I generate work fine if I use them directly with ssh, and they work properly if I run the ssh-agent that came with openssh.



      The documentation says that ssh-add should add keys to ~/.gnupg/sshcontrol, but obviously nothing is happening.



      My question: What's the easiest way to load a key generated by openssh's ssh-keygen into gpg-agent, and can someone please cut and paste a terminal session showing how this works?







      openssh ssh-agent gpg-agent






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jun 19 '17 at 3:05









      user3188445user3188445

      2,595827




      2,595827






















          2 Answers
          2






          active

          oldest

          votes


















          8














          The answer was apparently to run:



          echo UPDATESTARTUPTTY | gpg-connect-agent


          I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.



          While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.






          share|improve this answer































            0














            In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add triggers when used with gpg-agent.



            Removing pinentry-emacs and installing the GTK pinentry solved the problem here.



            I hope this can help someone! The error message sure didn't give me any clue.






            share|improve this answer























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "106"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f371901%2fgpg-agent-refuses-ssh-keys-with-ssh-add-reporting-agent-refused-operation%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              8














              The answer was apparently to run:



              echo UPDATESTARTUPTTY | gpg-connect-agent


              I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.



              While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.






              share|improve this answer




























                8














                The answer was apparently to run:



                echo UPDATESTARTUPTTY | gpg-connect-agent


                I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.



                While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.






                share|improve this answer


























                  8












                  8








                  8







                  The answer was apparently to run:



                  echo UPDATESTARTUPTTY | gpg-connect-agent


                  I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.



                  While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.






                  share|improve this answer













                  The answer was apparently to run:



                  echo UPDATESTARTUPTTY | gpg-connect-agent


                  I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add.



                  While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key). Basically I'm pretty unhappy with the way gpg-agent provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent might be a better alternative to ssh-agent, then I'd encourage you to stick to ssh-agent instead of trying out my answer. The main reason to prefer gpg-agent is if you need to for smart-card use.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jun 19 '17 at 4:55









                  user3188445user3188445

                  2,595827




                  2,595827

























                      0














                      In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add triggers when used with gpg-agent.



                      Removing pinentry-emacs and installing the GTK pinentry solved the problem here.



                      I hope this can help someone! The error message sure didn't give me any clue.






                      share|improve this answer




























                        0














                        In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add triggers when used with gpg-agent.



                        Removing pinentry-emacs and installing the GTK pinentry solved the problem here.



                        I hope this can help someone! The error message sure didn't give me any clue.






                        share|improve this answer


























                          0












                          0








                          0







                          In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add triggers when used with gpg-agent.



                          Removing pinentry-emacs and installing the GTK pinentry solved the problem here.



                          I hope this can help someone! The error message sure didn't give me any clue.






                          share|improve this answer













                          In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add triggers when used with gpg-agent.



                          Removing pinentry-emacs and installing the GTK pinentry solved the problem here.



                          I hope this can help someone! The error message sure didn't give me any clue.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered 36 mins ago









                          user30747user30747

                          1112




                          1112






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Unix & Linux Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f371901%2fgpg-agent-refuses-ssh-keys-with-ssh-add-reporting-agent-refused-operation%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Accessing regular linux commands in Huawei's Dopra Linux

                              Can't connect RFCOMM socket: Host is down

                              Kernel panic - not syncing: Fatal Exception in Interrupt