vodik
commented
8 years ago Oh, yeah, no worries, lets see what I can write up.
Open cpixl opened 8 years ago
vodik
commented
8 years ago Oh, yeah, no worries, lets see what I can write up.
blueyed
commented
8 years ago It seems like the following is a good replacement:
~/.profile:
gpg-connect-agent UPDATESTARTUPTTY /bye
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh~/.zshrc:
export GPG_TTY=$(tty)
gpg-connect-agent UPDATESTARTUPTTY /bye >/dev/null
cpixl
commented
8 years ago @blueyed it seems it doesn't work if the key is encrypted, even with the same passphrase as the logged user. The envoy's PAM module solves this problem, but I still don't see how to do this using only gpg-agent.
EDIT: Okay, I ended up with this (stolen from based on this script):
/usr/local/lib/gpg-pam-preset:
#!/usr/bin/env bash
# grab PAM-provided auth token
read token
# Execute as PAM_USER or logged user
su - ${PAM_USER:-$(id -un)} <<EOF
# Start agent if needed
if ! pgrep -U "\$USER" -x gpg-agent &> /dev/null; then
gpg-agent --enable-ssh-support --allow-preset-passphrase --disable-scdaemon --daemon
fi
# Get fingerprints managed by gpg
fingerprints=(\$(gpg-connect-agent "keyinfo --list" /bye | grep KEYINFO | cut -d' ' -f3))
# Preset each fingerprint
for fingerprint in "\${fingerprints[@]}"; do
/usr/lib/gnupg/gpg-preset-passphrase --preset "\$fingerprint" <<< "$token"
done
EOF
/etc/pam.d/login:
auth optional pam_exec.so expose_authtok /usr/local/bin/gpg-pam-presetMaybe it's worth to put it on the README (or point to this issue) so others can use it too.
blueyed
commented
8 years ago @dan-santana Thanks for sharing this!
I do not like auto-unlocking on login, but in case you want that this looks fine.
Actually this is a personal request, no really an issue... but as it may be useful for others, I think it's worth opening it instead of sending a private e-mail.
You said that the recent changes in
gpg-agent"deprecated"envoyd, but I found nothing in the changelogs explicit enough for me to understand how envoy could be replaced solely bygpg-agent.There is any reference or documentation that could give this direction? Until now envoy has worked really well for me, but I personally prefer less dependencies for my system... so I'm really curious on how to achieve this setup.