Guix Home: SSH won't ask for GPG password

Guix Home: SSH won't ask for GPG password

[Caleb Herbert]

Guix System.

In home-configuration.scm:
(service home-gpg-agent-service-type
		  (home-gpg-agent-configuration
		   (pinentry-program
		    (file-append pinentry-gnome3 "/bin/pinentry"))
		   (ssh-support? #t)))

caleb@bender ~$ ssh csh@tty.sdf.org
csh@tty.sdf.org's password: 

This shouldn't happen. Pinentry should come up and ask me for my GPG password.

gpg-agent.conf looks normal.

caleb@bender ~$ cat /home/caleb/.gnupg/gpg-agent.conf 
pinentry-program /gnu/store/6rlqjdc9ginn4gnkwg8mhqwm015phhrm-pinentry-gnome3-1.2.1/bin/pinentry
default-cache-ttl 600
max-cache-ttl 7200
default-cache-ttl-ssh 1800
max-cache-ttl-ssh 7200
caleb@bender ~$ 

What am I missing?

-- 
Caleb
https://bluehome.net/csh/

Re: Guix Home: SSH won't ask for GPG password

[Maxim Cournoyer]

Hi,

Caleb Herbert <csh@bluehome.net> writes:

> Guix System.
>
> In home-configuration.scm:
> (service home-gpg-agent-service-type
> 		  (home-gpg-agent-configuration
> 		   (pinentry-program
> 		    (file-append pinentry-gnome3 "/bin/pinentry"))
> 		   (ssh-support? #t)))
>
> caleb@bender ~$ ssh csh@tty.sdf.org
> csh@tty.sdf.org's password: 
>
> This shouldn't happen. Pinentry should come up and ask me for my GPG password.
>
> gpg-agent.conf looks normal.
>
> caleb@bender ~$ cat /home/caleb/.gnupg/gpg-agent.conf 
> pinentry-program /gnu/store/6rlqjdc9ginn4gnkwg8mhqwm015phhrm-pinentry-gnome3-1.2.1/bin/pinentry
> default-cache-ttl 600
> max-cache-ttl 7200
> default-cache-ttl-ssh 1800
> max-cache-ttl-ssh 7200

I don't use guix home, but my hand-crafted gpg-agent.conf reads like:

--8<---------------cut here---------------start------------->8---
# PIN entry program
enable-ssh-support
allow-emacs-pinentry

# Remember GPG/SSH passwords for longer.
default-cache-ttl 28800		# cache GPG on access for 8 hours
max-cache-ttl 57600		# keep GPG on cache for a maximum of 16 hours
default-cache-ttl-ssh 28800     # cache SSH on access for 8 hours
max-cache-ttl-ssh 57600		# keep SSH on cache for a maximum of 16 hours
--8<---------------cut here---------------end--------------->8---

Also, it could be caused by the pinentry-gnome3 variant.  I remember
wrestling with a similar problem in the past, only to find out that it
was limited.

I now use the canonical 'pinentry' package, which seems most featureful.

HTH,

-- 
Maxim

Re: Guix Home: SSH won't ask for GPG password

[Caleb Herbert]

Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote ..
> I now use the canonical 'pinentry' package, which seems most featureful.

Changed to plain "pinentry".

(service home-gpg-agent-service-type                         
                  (home-gpg-agent-configuration                       
                   (pinentry-program                                  
                    (file-append pinentry "/bin/pinentry"))           
                   (ssh-support? #t)))


I still get an error when trying to reconfigure. 

Loading /gnu/store/2hwp7i1xn24rlsnwmcc8hpbdynznv4an-shepherd.conf.
herd: error: exception caught while executing 'load' on service 'root':
In procedure fport_write: Input/output error
Comparing /gnu/store/3jphbp9sisp54nshd8dimrnn4lks3p4d-home/profile/share/fonts and
          /gnu/store/vkkl9ymxkcq5a72z42rm4yx573k0wk1f-home/profile/share/fonts... done (same)
Evaluating on-change gexps.

On-change gexps evaluation finished.


-- 
Caleb
https://bluehome.net/csh/
-- 
Caleb
https://bluehome.net/csh/

Re: Guix Home: SSH won't ask for GPG password

[Aleksandr Vityazev]

Hi,

What does the output of the command: ssh-add -L show? Are the keys
represented by the agent?

On 2023-10-05, 09:18 -0700, Caleb Herbert <csh@bluehome.net> wrote:

> Guix System.
>
> In home-configuration.scm:
> (service home-gpg-agent-service-type
> 		  (home-gpg-agent-configuration
> 		   (pinentry-program
> 		    (file-append pinentry-gnome3 "/bin/pinentry"))
> 		   (ssh-support? #t)))
>
> caleb@bender ~$ ssh csh@tty.sdf.org
> csh@tty.sdf.org's password: 
>
> This shouldn't happen. Pinentry should come up and ask me for my GPG password.
>
> gpg-agent.conf looks normal.
>
> caleb@bender ~$ cat /home/caleb/.gnupg/gpg-agent.conf 
> pinentry-program /gnu/store/6rlqjdc9ginn4gnkwg8mhqwm015phhrm-pinentry-gnome3-1.2.1/bin/pinentry
> default-cache-ttl 600
> max-cache-ttl 7200
> default-cache-ttl-ssh 1800
> max-cache-ttl-ssh 7200
> caleb@bender ~$

gpg-agent.conf LGTM, except for the lack of enable-ssh-support.
But sheperd runs gpg with the --enable-ssh-support option.

-- 
Best regards,
Aleksandr Vityazev

Re: Guix Home: SSH won't ask for GPG password

[Caleb Herbert]

Aleksandr Vityazev <avityazew@gmail.com> wrote ..
> What does the output of the command: ssh-add -L show? Are the keys
> represented by the agent?

I don't think this is the right key.

caleb@bender ~$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmB95IidFlN2JUTk0U6CVkmqFRTZikZ+h2oC59f5MM9Q1Q4b5v4jpE/KlTHx0d2XvQglFlicHfMdOF+C73tYZpVtlO5PLsV5Z9uSEsfVG1pMuanrnsKxNZ+m7iVjxiMTpoQBSdZiPlfqPnBYHnbCZLOfRrkYoYWtDlWBLLGfCfor6CbfR2hxjlgRAWh9l9cuK1rp15yNT7p5ppdOJtM+p7YzufPwDfbIFOgItPqV92etH5T/so13vBjELedAkdnG5sr2L47a/L+363Xp18ULG1jlP234SAb6PRY+30AOiFkWq5FWJZZ6QUNJgxRHKrLIg0U5W0FpKs8Xr9v2B2VajLTks+zvSjv5MgLBBw4svKQDdVvBxTkO3kblJT2EGPKMWxEEN+VcrTSlt+tJnCmAhLOnC6UxIUJfts07S9qSdpqHrDS1hjf9wsBEf75RC3v7c/4jRXsCfz5tRpxWRBTRU7hwSU8TO3ANb/oETkPuwVjlHSseEpxkNbPRY4IE81+UM= caleb@toolbox
caleb@bender ~$ 


-- 
Caleb
https://bluehome.net/csh/

Re: Guix Home: SSH won't ask for GPG password

[Maxim Cournoyer]

Hi Caleb,

Caleb Herbert <csh@bluehome.net> writes:

> Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote ..
>> I now use the canonical 'pinentry' package, which seems most featureful.
>
> Changed to plain "pinentry".
>
> (service home-gpg-agent-service-type                         
>                   (home-gpg-agent-configuration                       
>                    (pinentry-program                                  
>                     (file-append pinentry "/bin/pinentry"))           
>                    (ssh-support? #t)))
>
>
> I still get an error when trying to reconfigure. 

What do you mean by "still" ?  It must have worked at some point?  What
changed in your configuration?

> Loading /gnu/store/2hwp7i1xn24rlsnwmcc8hpbdynznv4an-shepherd.conf.
> herd: error: exception caught while executing 'load' on service 'root':
> In procedure fport_write: Input/output error
> Comparing /gnu/store/3jphbp9sisp54nshd8dimrnn4lks3p4d-home/profile/share/fonts and
>           /gnu/store/vkkl9ymxkcq5a72z42rm4yx573k0wk1f-home/profile/share/fonts... done (same)
> Evaluating on-change gexps.
>
> On-change gexps evaluation finished.

Hm.  I'm not sure what that is trying to say, other than there was some
error in the service definition.

-- 
Thanks,
Maxim

Re: Guix Home: SSH won't ask for GPG password

[Caleb Herbert]

Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote ..
> What do you mean by "still" ?  It must have worked at some point?  What
> changed in your configuration?

I don't know when it last worked. I think it stopped working when I added a package.

Here is my full config:

;; This "home-environment" file can be passed to 'guix home reconfigure'
;; to reproduce the content of your profile.  This is "symbolic": it only
;; specifies package names.  To reproduce the exact same profile, you also
;; need to capture the channels being used, as returned by "guix describe".
;; See the "Replicating Guix" section in the manual.

(use-modules (gnu home)
             (gnu packages)
	     (gnu packages gnupg)
             (gnu services)
             (guix gexp)
             (gnu home services shells)
	     (gnu home services gnupg))

(home-environment
  ;; Below is the list of packages that will show up in your
  ;; Home profile, under ~/.guix-home/profile.
 (packages (specifications->packages (list "emacs"
					   "password-store"
					   "pinentry"
					   "gnupg"
					   "evolution"
					   "icecat"
					   "git"
					   "mosh"
					   "wgetpaste"
					   "evolution-data-server"
					   "dino")))

  ;; Below is the list of Home services.  To search for available
  ;; services, run 'guix home search KEYWORD' in a terminal.
  (services
   (list (service home-bash-service-type
                  (home-bash-configuration
                   (aliases '(("grep" . "grep --color=auto") ("ll" . "ls -l")
                              ("ls" . "ls -p --color=auto")))
                   (bashrc (list (local-file ".bashrc" "bashrc")))
                   (bash-profile (list (local-file ".bash_profile"
						   "bash_profile")))))
	 (service home-gpg-agent-service-type
		  (home-gpg-agent-configuration
		   (pinentry-program
		    (file-append pinentry "/bin/pinentry"))
		   (ssh-support? #t))))))


caleb@bender ~$ guix describe
Generation 1	Oct 04 2023 20:25:40	(current)
  guix 20df2ee
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: master
    commit: 20df2ee697bb5057a476a926a363d71cc8944c84
caleb@bender ~$ 

-- 
Caleb
https://bluehome.net/csh/