I’m starting a local
gpg-agent on my Mac, with the
extra-socket option. Then I connect to a remote site using SSH, forwarding the remote
S.gpg-agent socket to the local
S.gpg-agent.extra socket. This works:
ssh -R /remotehome/.gnupg/S.gpg-agent:/localhome/.gnupg/S.gpg-agent.extra remotesystem
When I want to sign something on the remote machine, the
pinentry dialog pops up locally and asks for the password, which is the way it should work. However, when I start typing my password, some of the key presses obviously goes into
pinentry (they are displayed as
*) whereas some key presses ends up in the shell that runs on the same tty as the
┌────────────────────────────────────────────────────────────────┐ │ Note: Request from a remote site. │ │ │ │ Please enter the passphrase to unlock the OpenPGP secret key: │ │ "My name <my.email@address>" │ │ 4096-bit RSA key, ID MYKEYIDXXX0000YYY, │ │ created 2015-06-17 (main key ID MYMAINKEYIDXXX0000YYY). │ │ │ │ │ │ Passphrase: t*i*e_____________________________________________ │ │ │ │ <OK> <Cancel> │ └────────────────────────────────────────────────────────────────┘
Pressing Return has a chance of either sending the mangled password to
gpg, or sending whatever key presses that didn’t go into
pinentry to the shell:
/bin/ksh: tie: not found
How do I get
pinentry to grab all keys from the tty?
The local machine is a Mac running GnuPG 2.1.14 (compiled from
pkgsrc). The remote site is either a Linux machine with the same version of GnuPG or an OpenBSD machine with GnuPG version 2.1.15 (no difference). The
extra-socket option is the only option enabled in my
gpg-agent.conf. The environment variable
GPG_TTY is correctly set, and running
gpg-connect-agent updatestartuptty /bye locally will move the tty on which
pinentry starts up, but with the same problem.
gpg-connect-agent updatestartuptty /bye on the remote machine results in
$ gpg-connect-agent updatestartuptty /bye
gpg-connect-agent: connection to agent is in restricted mode
ERR 67109115 Forbidden <GPG Agent>
… which is what I kinda expect should happen.
Changing from the curses interface to the tty interface for
pinentry makes no difference. These are the only two
pinentry interfaces available to me. I do not run X11.
Update: With the local system running OpenBSD 6.3 (GnuPG 2.2.9) and the remote being some Ubuntu system (GnuPG 2.1.11), it’s even worse with no key presses going into
pinentry and everything being read by the shell.