#StackBounty: #ssh #tty #gpg #gpg-agent #pinentry Intermingled input when using local gpg-agent from remote site

Bounty: 100

I’m starting a local gpg-agent on my Mac, with the extra-socket option. Then I connect to a remote site using SSH, forwarding the remote S.gpg-agent socket to the local S.gpg-agent.extra socket. This works:

ssh -R /remotehome/.gnupg/S.gpg-agent:/localhome/.gnupg/S.gpg-agent.extra remotesystem

When I want to sign something on the remote machine, the pinentry dialog pops up locally and asks for the password, which is the way it should work. However, when I start typing my password, some of the key presses obviously goes into pinentry (they are displayed as *) whereas some key presses ends up in the shell that runs on the same tty as the pinentry process.

     │ Note: Request from a remote site.                              │
     │                                                                │
     │ Please enter the passphrase to unlock the OpenPGP secret key:  │
     │ "My name  <my.email@address>"                                  │
     │ 4096-bit RSA key, ID MYKEYIDXXX0000YYY,                        │
     │ created 2015-06-17 (main key ID MYMAINKEYIDXXX0000YYY).        │
     │                                                                │
     │                                                                │
     │ Passphrase: t*i*e_____________________________________________ │
     │                                                                │
     │         <OK>                                    <Cancel>       │

Pressing Return has a chance of either sending the mangled password to gpg, or sending whatever key presses that didn’t go into pinentry to the shell:

/bin/ksh: tie: not found

How do I get pinentry to grab all keys from the tty?

The local machine is a Mac running GnuPG 2.1.14 (compiled from pkgsrc). The remote site is either a Linux machine with the same version of GnuPG or an OpenBSD machine with GnuPG version 2.1.15 (no difference). The extra-socket option is the only option enabled in my gpg-agent.conf. The environment variable GPG_TTY is correctly set, and running gpg-connect-agent updatestartuptty /bye locally will move the tty on which pinentry starts up, but with the same problem.

Doing gpg-connect-agent updatestartuptty /bye on the remote machine results in

$ gpg-connect-agent updatestartuptty /bye
gpg-connect-agent: connection to agent is in restricted mode
ERR 67109115 Forbidden <GPG Agent>

… which is what I kinda expect should happen.

Changing from the curses interface to the tty interface for pinentry makes no difference. These are the only two pinentry interfaces available to me. I do not run X11.

Update: With the local system running OpenBSD 6.3 (GnuPG 2.2.9) and the remote being some Ubuntu system (GnuPG 2.1.11), it’s even worse with no key presses going into pinentry and everything being read by the shell.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.