598 private links
Passwordstore is a great password manager, and I rely on it also in my Ansible playbooks, where it works by causing the gpg-agent to prompt me for the passphrase of my gpg key.
This prompt is a GUI prompt, which is very suitable when sitting at the computer in question. But a small annoyance is that it does not work at all when working on a remote computer via ssh (the prompt shows up on the remote computer's desktop, and the Ansible playbook in the terminal just freezes until it eventually fails).
It would be so much nicer if those ssh terminal sessions would instead get the gpg-agent prompt in the terminal. So far I have not found a method that achieves this without also sacrificing the GUI desktop prompt for non-remote work.
Desktop and laptop running Ubuntu 22.04 with i3wm desktop.
The relevant parts of my config can be seen in https://codeberg.org/ansible/dotfiles.
I considered the following related Q:s&A:s but did not achieve the desired outcome.
- https://unix.stackexchange.com/questions/554153/what-is-the-proper-configuration-for-gpg-ssh-and-gpg-agent-to-use-gpg-auth-sub
- https://stackoverflow.com/questions/17769831/how-to-make-gpg-prompt-for-passphrase-on-cli
- https://superuser.com/questions/1189602/how-to-configure-gpg2-to-ask-for-passphrase-on-the-console-instead-of-in-a-popup
- https://unix.stackexchange.com/questions/217737/pinentry-fails-with-gpg-agent-and-ssh
Some more tests
In the SSH session (no effect, unfortunately):
gpg-connect-agent updatestartuptty /bye
Learned that the gpg-agent is running in --supervised
mode, and its ENV variables include DISPLAY=:0
:
solarchemist@desktop:~
$ sudo cat /proc/2652288/environ
HOME=/home/solarchemist LANG=en_US.UTF-8 LC_TIME=sv_SE.UTF-8 LOGNAME=solarchemist
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/snap/bin
SHELL=/bin/bash SYSTEMD_EXEC_PID=2652288 USER=solarchemist
XDG_DATA_DIRS=/home/solarchemist/.local/share/flatpak/exports/share:/var/lib/flatpak/exports/share:/usr/local/share/:/usr/share/:/var/lib/snapd/desktop
XDG_RUNTIME_DIR=/run/user/1000 QT_ACCESSIBILITY=1
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus DISPLAY=:0 XAUTHORITY=/home/solarchemist/.Xauthority
MANAGERPID=1532 LISTEN_PID=2652288 LISTEN_FDS=4
LISTEN_FDNAMES=browser:extra:std:ssh INVOCATION_ID=<stuff> JOURNAL_STREAM=<stuff>
(the PID of the gpg-agent process is easily identified with ps aux | grep [g]pg
).
Manual work-around
Manual work-around is to set pinentry-program /usr/bin/pinentry-tty
in ~/.gnupg/gpg-agent.conf
and reload the agent gpg-connect-agent reloadagent /bye
.
To revert to the default (GUI) pinentry behaviour, just remove the line and reload the agent again.