Unable to add SSH keys

[Barbaross93]

I'm trying to setup SSH keys with pam-gnupg and when I try to use ssh-add, I get:

Enter passphrase for xxxx:
Could not add identity "xxxx": agent refused operation

I've followed the steps on the README, so I'm not sure what I'm doing wrong here. Does the export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) need to happen after password entry?

[cruegge]

First of all, this is not really a problem with pam-gnupg, everything concerning ssh is done purely by the agent. But maybe you can try the following:

1. Probably obvious: check that the socket actually exists.
2. Stop the agent and, if you start it via systemd, also stop all of the socket units. The directory shown by gpgconf --list-dirs socketdir should be empty. Then you can start the agent in verbose mode by gpg-agent -vv --daemon bash. (The bash part makes it spawn a shell and terminate when it closes, which is the most straight-forward way to stop the agent when done.) If your agent process normally includes additional command line options, try adding them as well except for --supervised, which is specific to systemd socket activation. Then see if the output shows anything unusual when you run ssh-add in another terminal.

[Barbaross93]

Thanks for the response!

1) Indeed, I have a path when I run echo $SSH_AUTH_SOCK. Maybe this is the incorrect socket you meant? 2) I can't seem to stop the agent. I ran killall gpg-agent, gpgconf --kill gpg-agent, and checked for any systemd sockets (none were enabled) but no matter what, a gpg-agent seems to always be running. I'm unable to run the verbose command you suggested; it fails with the output gpg-agent: a gpg-agent is already running - not starting a new one I guess I should file an issue with gnupg?

[cruegge]

The agent is auto-started on demand whenever you call gpg. Do you maybe have something running in the background that restarts it? Maybe check the output of pgrep -a gpg-agent. If the PID keeps changing then it's probably getting restarted.

[Barbaross93]

Well that's bizarre. Running pgrep -a gpg-agent returns 12876 /usr/bin/gpg-agent --supervised, which apparently means that a systemd socket is activated. I ran sudo systemctl stop through each gpg-agent*.socket listed in pacman -Ql | grep socket. Each time, it says the unit isn't loaded. Trying pacman -Ql | grep systemd revealed a gpg-agent.service; That isn't loaded either. I've noticed that after running killall gpg-agent the pgrep command returns nothing. After trying the verbose command you suggested, I get a similar output as before but with a new PID. I guess I need some setting enabled/disabled in gnupg?

[cruegge]

It's a user unit, did you use systemctl --user stop?

[Barbaross93]

HEADSMACK I did not realize that. That did indeed work! Do I need to run systemctl --user disable gpg.agent.socket? Or just temporarily stop it for now until I add my ssh keys?

[cruegge]

You just need to stop it (and the other socket units) for the test with the verbose command.

[Barbaross93]

I just meant for overall. I went ahead and added the keys and the ssh-add command works now. I was finally able to add the keygrips to .pam-gnupg. I'm just not sure if I need to permanently disable the socket or just stop it until I have my keys/keygrips added

[cruegge]

Hmm, that's strange. The command I gave you was only intended for diagnosis, I did not expect ssh-add to suddenly work now. Since we still don't know what the problem was I can't say whether restarting the agent via systemd will work. But in principle, nothing of what I said was supposed to be permanent, so just go ahead and try resetting everything to normal.

[Barbaross93]

I went ahead and restarted my system and ran gpg-connect-agent 'keyinfo --ssh-list' /bye. My keygrips are still there. It seems like my problem is solved, but now gnupg doesn't get authenticated on login. I didn't disable the service, so now I have no idea what's happening.

EDIT: It seems like I was able to get it working again by removing a section for fprint

auth        sufficient      pam_unix.so try_first_pass likeauth nullok
auth        sufficient      pam_fprintd.so

I couldn't figure out a way to keep that in with pam_gnupg.so, so I guess I'll have to forgo it. In regards to ssh, I shouldn't need to input my ssh password when it is called right? Because it seems like that isn't working

EDIT 2: Nevermind, I had commented out the export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) in my .xprofile for some reason. Looks like everything is working! Since it sounds like the way I added my ssh keys wasn't suppose to happen, I'll wait to see how you want to proceed before closing this

[cruegge]

Sorry for the late reply. Regarding fprintd: does pam_gnupg work if you leave the pam_fprintd in the config file, but simply do not authenticate with a fingerprint? It should work then, if it doesn't I'll have to look into the reason. If you do authenticate with a fingerprint, though, there's nothing that can be done. If you don't enter a password, there's nothing pam_gnupg could send to the agent.

[Barbaross93]

Sorry for the delay, got sidetrack reinstalling arch on my laptop. Finally got back to this point. So according to the arch wiki, I have to put the fprint segment at the top of the file (in this case, /etc/pam.d/i3lock). Placing the pam_gnupg.so right above the fprint segment (since your README states that sufficient can terminate pam early), putting in my password first without a fingerprint doesnt work. Obviously, neither does activating with fingerprint as well

[cruegge]

Ah, I see, you followed the Arch wiki and marked pam_unix as sufficient. The intention is to skip fprintd when the password is given, but the side effect here is that it also skips pam_gnupg.

I have to say that I don't understand this part from the wiki:

Adding pam_fprintd.so as sufficient to any configuration file in /etc/pam.d/ when a fingerprint signature is present will only prompt for fingerprint authentication, preventing the use of a password.

If a sufficient module fails, it should simply be ignored. So, adding fprintd at the top should first ask for a fingerprint and then fall back to password auth, contrary to what the wiki says:

auth sufficient pam_fprintfd.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_gnupg.so

(Also, as an aside, the suggested lines

auth      sufficient      pam_unix.so try_first_pass likeauth nullok
auth      sufficient      pam_fprintd.so

look like they simply ignore failure of both modules. I'm not on an Arch machine right now, so I can't check how the full PAM config looks and whether there are other mechanisms in place, but these two lines alone don't seem to prevent anyone from logging in.)

But maybe I'm mistaken. In that case – or if you simply want the password prompt first – things get a bit more complicated:

auth [success=1 new_authtok_reqd=1 default=ignore] pam_unix.so try_first_pass likeauth nullok
auth [sucess=done new_authtok_reqd=done default=bad] pam_fprintfd.so
auth optional pam_gnupg.so

„Try reading a password. On success, skip one module, otherwise ignore the error and try a fingerprint. If that succeeds, we're done immediately, otherwise return an error“. The parts in square brackets are slight variations of the actual meaning of required and sufficient as given in pam.conf(5).

Note that I did not test any of this. If you want to try it, you should best have a root shell open on some console so you can change it back if it turns out to prevent you from logging in.

[Barbaross93]

Wow, thanks for being thorough! I'm interested in the second scenario: If I mess up the password the first time, ask for a fingerprint instead. I gave that last block of yours a try and unfortunately the fingerprint step is skipped if I fail the password entry. Entering the password works and pam-gnupg indeed gets the credentials.

[cruegge]

If you copy-pasted the block from my comment, you may have included the typo pam_fprintfd.so instead of pam_fprintd.so. My muslce memory just insists on typing the additional f there :)

[Barbaross93]

Oh, woops! I should be more careful when I copy and paste things from the internet :)

I just tried it now with the correction and unfortunately its the same behavior

[cruegge]

Well, that's a pity, because now I'm running out of ideas. Does fingerprint auth work if you comment out the pam_unix line? You might also try adding the debug option to pam_fprintd and check the journal for status messages.

[Barbaross93]

So commenting out the pam_unix line allows using the fingerprint authentication. When I try to add debug to pam_fprintd, I don't see anything specific for fprint, but this what I do see when I run journalctl -b | grep pam:

Feb 24 13:30:01 Forester audit[1769]: USER_ACCT pid=1769 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_time acct="barbarossa" exe="/usr/bin/crond" hostname=? addr=? terminal=cron res=success'
Feb 24 13:30:01 Forester audit[1769]: CRED_ACQ pid=1769 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_unix,pam_env acct="barbarossa" exe="/usr/bin/crond" hostname=? addr=? terminal=cron res=success'
Feb 24 13:30:01 Forester crond[1769]: pam_unix(crond:session): session opened for user barbarossa(uid=1000) by (uid=0)
Feb 24 13:30:01 Forester audit[1769]: USER_START pid=1769 uid=0 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_loginuid,pam_limits,pam_unix acct="barbarossa" exe="/usr/bin/crond" hostname=? addr=? terminal=cron res=success'
Feb 24 13:30:01 Forester audit[1769]: CRED_REFR pid=1769 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_unix,pam_env acct="barbarossa" exe="/usr/bin/crond" hostname=? addr=? terminal=cron res=success'
Feb 24 13:30:01 Forester audit[1769]: CRED_DISP pid=1769 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_unix,pam_env acct="barbarossa" exe="/usr/bin/crond" hostname=? addr=? terminal=cron res=success'
Feb 24 13:30:01 Forester audit[1769]: USER_END pid=1769 uid=0 auid=1000 ses=1 msg='op=PAM:session_close grantors=pam_loginuid,pam_limits,pam_unix acct="barbarossa" exe="/usr/bin/crond" hostname=? addr=? terminal=cron res=success'
Feb 24 13:30:01 Forester CROND[1769]: pam_unix(crond:session): session closed for user barbarossa
Feb 24 13:30:03 Forester login[637]: pam_systemd_home(login:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Feb 24 13:30:03 Forester audit[637]: USER_ACCT pid=637 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_permit,pam_time acct="barbarossa" exe="/usr/bin/login" hostname=Forester addr=? terminal=/dev/tty1 res=success'
Feb 24 13:30:03 Forester kernel: audit: type=1101 audit(1614191403.584:54): pid=637 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_permit,pam_time acct="barbarossa" exe="/usr/bin/login" hostname=Forester addr=? terminal=/dev/tty1 res=success'
Feb 24 13:30:03 Forester audit[637]: CRED_ACQ pid=637 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_securetty,pam_shells,pam_faillock,pam_permit,pam_env,pam_faillock acct="barbarossa" exe="/usr/bin/login" hostname=Forester addr=? terminal=/dev/tty1 res=success'
Feb 24 13:30:03 Forester login[637]: pam_unix(login:session): session opened for user barbarossa(uid=1000) by LOGIN(uid=0)
Feb 24 13:30:03 Forester kernel: audit: type=1103 audit(1614191403.587:55): pid=637 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_securetty,pam_shells,pam_faillock,pam_permit,pam_env,pam_faillock acct="barbarossa" exe="/usr/bin/login" hostname=Forester addr=? terminal=/dev/tty1 res=success'
Feb 24 13:30:03 Forester systemd[1786]: pam_systemd_home(systemd-user:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Feb 24 13:30:03 Forester audit[1786]: USER_ACCT pid=1786 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_permit,pam_time acct="barbarossa" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 24 13:30:03 Forester systemd[1786]: pam_warn(systemd-user:setcred): function=[pam_sm_setcred] flags=0x8002 service=[systemd-user] terminal=[] user=[barbarossa] ruser=[<unknown>] rhost=[<unknown>]
Feb 24 13:30:03 Forester systemd[1786]: pam_unix(systemd-user:session): session opened for user barbarossa(uid=1000) by (uid=0)
Feb 24 13:30:03 Forester systemd[1786]: pam_env(systemd-user:session): deprecated reading of user environment enabled
Feb 24 13:30:03 Forester audit[1786]: USER_START pid=1786 uid=0 auid=1000 ses=3 msg='op=PAM:session_open grantors=pam_loginuid,pam_loginuid,pam_keyinit,pam_limits,pam_unix,pam_permit,pam_mail,pam_systemd,pam_env acct="barbarossa" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 24 13:30:03 Forester kernel: audit: type=1101 audit(1614191403.604:58): pid=1786 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_permit,pam_time acct="barbarossa" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 24 13:30:03 Forester audit[637]: USER_START pid=637 uid=0 auid=1000 ses=2 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_unix,pam_permit,pam_mail,pam_systemd,pam_env acct="barbarossa" exe="/usr/bin/login" hostname=Forester addr=? terminal=/dev/tty1 res=success'
Feb 24 13:30:03 Forester audit[637]: CRED_REFR pid=637 uid=0 auid=1000 ses=2 msg='op=PAM:setcred grantors=pam_securetty,pam_shells,pam_faillock,pam_permit,pam_env,pam_faillock acct="barbarossa" exe="/usr/bin/login" hostname=Forester addr=? terminal=/dev/tty1 res=success'
Feb 24 13:30:03 Forester login[637]: pam_env(login:session): deprecated reading of user environment enabled
Feb 24 13:30:31 Forester audit[4169]: USER_AUTH pid=4169 uid=1000 auid=1000 ses=2 msg='op=PAM:authentication grantors=pam_unix acct="barbarossa" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:30:31 Forester kernel: audit: type=1100 audit(1614191431.077:82): pid=4169 uid=1000 auid=1000 ses=2 msg='op=PAM:authentication grantors=pam_unix acct="barbarossa" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:30:31 Forester dbus-daemon[594]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.39' (uid=0 pid=4169 comm="sudoedit /etc/pam.d/i3lock ")
Feb 24 13:30:31 Forester sudoedit[4169]: pam_systemd_home(sudo:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Feb 24 13:30:31 Forester audit[4169]: USER_ACCT pid=4169 uid=1000 auid=1000 ses=2 msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="barbarossa" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:30:31 Forester sudo[4169]: barbarossa : TTY=pts/1 ; PWD=/home/barbarossa ; USER=root ; COMMAND=/usr/bin/nvim -- /etc/pam.d/i3lock
Feb 24 13:30:31 Forester audit[4169]: CRED_REFR pid=4169 uid=0 auid=1000 ses=2 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:30:31 Forester audit[4169]: USER_START pid=4169 uid=0 auid=1000 ses=2 msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:30:31 Forester sudo[4169]: pam_unix(sudo:session): session opened for user root(uid=0) by barbarossa(uid=0)
Feb 24 13:30:31 Forester kernel: audit: type=1101 audit(1614191431.081:83): pid=4169 uid=1000 auid=1000 ses=2 msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="barbarossa" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:30:31 Forester kernel: audit: type=1110 audit(1614191431.081:84): pid=4169 uid=0 auid=1000 ses=2 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:30:31 Forester kernel: audit: type=1105 audit(1614191431.081:85): pid=4169 uid=0 auid=1000 ses=2 msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:30:44 Forester sudo[4169]: pam_unix(sudo:session): session closed for user root
Feb 24 13:30:44 Forester kernel: audit: type=1106 audit(1614191444.037:86): pid=4169 uid=0 auid=1000 ses=2 msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:30:44 Forester kernel: audit: type=1104 audit(1614191444.037:87): pid=4169 uid=0 auid=1000 ses=2 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:30:44 Forester audit[4169]: USER_END pid=4169 uid=0 auid=1000 ses=2 msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:30:44 Forester audit[4169]: CRED_DISP pid=4169 uid=0 auid=1000 ses=2 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:31:07 Forester i3lock[5424]: PAM pam_parse: expecting return value; [...sucess=done new_authtok_reqd=done default=bad]
Feb 24 13:31:09 Forester i3lock[5424]: pam_unix(i3lock:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=  user=barbarossa
Feb 24 13:31:09 Forester i3lock[5424]: pam_systemd_home(i3lock:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Feb 24 13:33:08 Forester dbus-daemon[594]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.41' (uid=0 pid=7473 comm="sudoedit /etc/pam.d/i3lock ")
Feb 24 13:33:08 Forester sudoedit[7473]: pam_systemd_home(sudo:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Feb 24 13:33:08 Forester audit[7473]: USER_ACCT pid=7473 uid=1000 auid=1000 ses=2 msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="barbarossa" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:33:08 Forester sudo[7473]: barbarossa : TTY=pts/1 ; PWD=/home/barbarossa ; USER=root ; COMMAND=/usr/bin/nvim -- /etc/pam.d/i3lock
Feb 24 13:33:08 Forester audit[7473]: CRED_REFR pid=7473 uid=0 auid=1000 ses=2 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:33:08 Forester audit[7473]: USER_START pid=7473 uid=0 auid=1000 ses=2 msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:33:08 Forester sudo[7473]: pam_unix(sudo:session): session opened for user root(uid=0) by barbarossa(uid=0)
Feb 24 13:33:08 Forester kernel: audit: type=1101 audit(1614191588.231:93): pid=7473 uid=1000 auid=1000 ses=2 msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="barbarossa" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:33:08 Forester kernel: audit: type=1110 audit(1614191588.231:94): pid=7473 uid=0 auid=1000 ses=2 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:33:08 Forester kernel: audit: type=1105 audit(1614191588.231:95): pid=7473 uid=0 auid=1000 ses=2 msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:33:10 Forester sudo[7473]: pam_unix(sudo:session): session closed for user root
Feb 24 13:33:10 Forester audit[7473]: USER_END pid=7473 uid=0 auid=1000 ses=2 msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:33:10 Forester audit[7473]: CRED_DISP pid=7473 uid=0 auid=1000 ses=2 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:33:10 Forester kernel: audit: type=1106 audit(1614191590.784:96): pid=7473 uid=0 auid=1000 ses=2 msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 24 13:33:10 Forester kernel: audit: type=1104 audit(1614191590.784:97): pid=7473 uid=0 auid=1000 ses=2 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'

[cruegge]

Feb 24 13:31:07 Forester i3lock[5424]: PAM pam_parse: expecting return value; [...sucess=done new_authtok_reqd=done default=bad]

Well, I made another typo, it shold be success, not sucess.

[Barbaross93]

Looks like it works! Thank you so much!