我正在使用 Arch Linux 和 gpg (GnuPG) 2.2.27。尝试使用 gpg 实现 ssh 支持,我将其与 git ssh 公钥身份验证一起使用。为此,我从 gpg 创建了一个公钥。
当套接字激活发生时以及当我检查 gpg-agent 的 systemctl 状态时。
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 4 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 5 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 6 for std socket (/run/user/1000/gnupg/S.gpg-agent)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: listening on: std=6 extra=4 browser=5 ssh=3
Mar 05 13:19:58 vipin-pc gpg-agent[15053]: scdaemon[15053]: pcsc_establish_context failed: no service (0x8010001d)
Mar 05 13:20:17 vipin-pc gpg-agent[15053]: scdaemon[15053]: pcsc_establish_context failed: no service (0x8010001d)
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: failed to unprotect the secret key: Inappropriate ioctl for device
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: failed to read the secret key
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: ssh sign request failed: Inappropriate ioctl for device <Pinentry>
当我执行 git push 时出现以下错误
sign_and_send_pubkey: signing failed for RSA "(none)" from agent: agent refused operation
remote: Public key authentication failed.
fatal: Could not read from remote repository.
工作案例
我使用的命令解释如下。我能让它工作的唯一方法是使用下面的方法,使用套接字激活或 systemd 则不起作用。
gpg-agent --enable-ssh-support --daemon
上述命令产生如下所示的输出,在下一个命令中执行该输出。
SSH_AUTH_SOCK=/run/user/1000/gnupg/d.9e8e8c1bboxm43ocazxnxq5w/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
此后,如果我尝试执行 git push,我能够得到提示并且它可以正常工作。
我如何能够用上述方法产生与 systemd 相同的错误。步骤说明如下
在同一个命令提示符下,当我执行 git push 时,我取消了提示,我得到了同样的错误,我在 systemd 中得到了同样的错误
sign_and_send_pubkey:代理对 RSA“(无)”进行签名失败:代理拒绝远程操作:公钥认证失败。致命:无法从远程存储库读取。
下面使用 SYSTEMD 解释所有设置和错误
没有得到我所缺少的确切信息。我浏览了博客。并尝试排除故障,但没有得到我所缺少的确切信息
请查看我使用的设置和故障排除方法
我使用 xdg 目录规范来指定文件夹结构。
使用 ~/.config 中的 environment.d 文件夹为我的 systemd 进程加载所有环境变量。
附加下面的环境变量。
#GPG_TTY=$(tty)
GPG_TTY=/dev/pts/0
TERM=linux
#PATH="$(/usr/bin/du -L --exclude=.idea --exclude=archive --exclude=__pycache__ $HOME/.local/bin/vbin| /usr/bin/cut -f2 | /usr/bin/tr '\n' ':')$PATH"
PATH="$HOME/.local/bin/vbin/bspwm:/$HOME/.local/bin/vbin:$PATH"
PATH=$PATH:$HOME/.local/share/npm/bin:$HOME/.local/bin/net.downloadhelper.coapp-1.3.0/bin:$HOME/.local/bin
# default programs:
EDITOR="emsc"
VISUAL="${EDITOR}"
TERMINAL="st"
BROWSER="firefox"
FILE="lf"
STATUSBAR="polybar"
#Other program settings
VCONFIG=${HOME}/.config/vconfig
VBIN=${HOME}/.local/bin/vbin
SUDO_ASKPASS=${VBIN}/dmenupass
ORGPATH=${HOME}/Org
#XDG CONFIG MOVEMENTS
XDG_CONFIG_HOME=${HOME}/.config
XDG_DATA_HOME=${HOME}/.local/share
XDG_CACHE_HOME=${HOME}/.cache
GNUPGHOME=${XDG_DATA_HOME}/gnupg
IPYTHONDIR=${XDG_CONFIG_HOME}/jupyter
JUPYTER_CONFIG_DIR=${XDG_CONFIG_HOME}/jupyter
ZDOTDIR=${XDG_CONFIG_HOME}/.config/zsh
NPM_CONFIG_USERCONFIG=$XDG_CONFIG_HOME/npm/config
LESSKEY=${XDG_CONFIG_HOME}/less/lesskey
GTK2_RC_FILES=${XDG_CONFIG_HOME}/gtk-2.0/gtkrc
_JAVA_OPTIONS=-Djava.util.prefs.userRoot=${XDG_CONFIG_HOME}/java
ANDROID_SDK_HOME=${XDG_CONFIG_HOME}/android
ADB_VENDOR_KEY=${XDG_CONFIG_HOME}/android
WINEPREFIX=${XDG_DATA_HOME}/wineprefixes/default
HISTFILE=${XDG_DATA_HOME}/zsh/history
_Z_DATA=${XDG_DATA_HOME}/.z
GOPATH=${XDG_DATA_HOME}/go
GNUPGHOME=${XDG_DATA_HOME}/gnupg
PASSWORD_STORE_DIR=${XDG_DATA_HOME}/pass
VSCODE_PORTABLE=${XDG_DATA_HOME}/vscode
ANDROID_AVD_HOME=${XDG_DATA_HOME}/android
ANDROID_EMULATOR_HOME=${XDG_DATA_HOME}/android
NUGET_PACKAGES=${XDG_CACHE_HOME}/NuGetPackages
PYLINTHOME=${XDG_CACHE_HOME}/pylint
LESSHISTFILE=${XDG_CACHE_HOME}/less/history
CUDA_CACHE_PATH=${XDG_CACHE_HOME}/nv
SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"
CM_SELECTIONS="clipboard"
CM_DEBUG=0
CM_OUTPUT_CLIP=0
CM_MAX_CLIPS=100
CM_LAUNCHER="rofi"
ANDROID_ADB_SERVER_PORT=8080
LF_ICONS="\
di=:\
fi=:\
ln=:\
or=:\
ex=:\
*.c=:\
*.cc=:\
*.clj=:\
*.coffee=:\
*.cpp=:\
*.css=:\
*.d=:\
*.dart=:\
*.erl=:\
*.exs=:\
*.fs=:\
*.go=:\
*.h=:\
*.hh=:\
*.hpp=:\
*.hs=:\
*.html=:\
*.java=:\
*.jl=:\
*.js=:\
*.json=:\
*.lua=:\
*.md=:\
*.php=:\
*.pl=:\
*.pro=:\
*.py=:\
*.rb=:\
*.rs=:\
*.scala=:\
*.ts=:\
*.vim=:\
*.cmd=:\
*.ps1=:\
*.sh=:\
*.bash=:\
*.zsh=:\
*.fish=:\
*.tar=:\
*.tgz=:\
*.arc=:\
*.arj=:\
*.taz=:\
*.lha=:\
*.lz4=:\
*.lzh=:\
*.lzma=:\
*.tlz=:\
*.txz=:\
*.tzo=:\
*.t7z=:\
*.zip=:\
*.z=:\
*.dz=:\
*.gz=:\
*.lrz=:\
*.lz=:\
*.lzo=:\
*.xz=:\
*.zst=:\
*.tzst=:\
*.bz2=:\
*.bz=:\
*.tbz=:\
*.tbz2=:\
*.tz=:\
*.deb=:\
*.rpm=:\
*.jar=:\
*.war=:\
*.ear=:\
*.sar=:\
*.rar=:\
*.alz=:\
*.ace=:\
*.zoo=:\
*.cpio=:\
*.7z=:\
*.rz=:\
*.cab=:\
*.wim=:\
*.swm=:\
*.dwm=:\
*.esd=:\
*.jpg=:\
*.jpeg=:\
*.mjpg=:\
*.mjpeg=:\
*.gif=:\
*.bmp=:\
*.pbm=:\
*.pgm=:\
*.ppm=:\
*.tga=:\
*.xbm=:\
*.xpm=:\
*.tif=:\
*.tiff=:\
*.png=:\
*.svg=:\
*.svgz=:\
*.mng=:\
*.pcx=:\
*.mov=:\
*.mpg=:\
*.mpeg=:\
*.m2v=:\
*.mkv=:\
*.webm=:\
*.ogm=:\
*.mp4=:\
*.m4v=:\
*.mp4v=:\
*.vob=:\
*.qt=:\
*.nuv=:\
*.wmv=:\
*.asf=:\
*.rm=:\
*.rmvb=:\
*.flc=:\
*.avi=:\
*.fli=:\
*.flv=:\
*.gl=:\
*.dl=:\
*.xcf=:\
*.xwd=:\
*.yuv=:\
*.cgm=:\
*.emf=:\
*.ogv=:\
*.ogx=:\
*.aac=:\
*.au=:\
*.flac=:\
*.m4a=:\
*.mid=:\
*.midi=:\
*.mka=:\
*.mp3=:\
*.mpc=:\
*.ogg=:\
*.ra=:\
*.wav=:\
*.oga=:\
*.opus=:\
*.spx=:\
*.xspf=:\
*.pdf=:\
*.nix=:\
"
在上面的环境设置中,我设置了 GNUPGHOME=${XDG_DATA_HOME}/gnupg
我的 GNUPGHOME 上的许可
total 84K
drwx------ 2 vipin vipin 4.0K Nov 8 18:50 openpgp-revocs.d
drwx------ 2 vipin vipin 4.0K Mar 4 00:22 private-keys-v1.d
-rw------- 1 vipin vipin 105 Mar 5 10:10 gpg-agent.conf
-rw-r--r-- 1 vipin vipin 16K Mar 4 00:23 pubring.kbx
-rw-r--r-- 1 vipin vipin 41 Mar 4 00:41 sshcontrol
-rw-r--r-- 1 vipin vipin 48K Mar 4 00:23 tofu.db
-rw------- 1 vipin vipin 1.3K Nov 8 18:50 trustdb.gpg
/home/vipin/.local/share/gnupg/gpg-agent.conf 文件包含以下信息。
default-cache-ttl 240
enable-ssh-support
pinentry-program /usr/bin/pinentry-gtk-2
pinentry-mode loopback
Pinentry 程序文件和权限
-rwxr-xr-x 1 root root 122 Nov 13 2019 /usr/bin/pinentry
-rwxr-xr-x 1 root root 71K Nov 13 2019 /usr/bin/pinentry-curses
-rwxr-xr-x 1 root root 63K Nov 13 2019 /usr/bin/pinentry-emacs
-rwxr-xr-x 1 root root 79K Nov 13 2019 /usr/bin/pinentry-gnome3
-rwxr-xr-x 1 root root 91K Nov 13 2019 /usr/bin/pinentry-gtk-2
-rwxr-xr-x 1 root root 127K Nov 13 2019 /usr/bin/pinentry-qt
-rwxr-xr-x 1 root root 67K Nov 13 2019 /usr/bin/pinentry-tty
SSH 套接字,已在环境变量中添加。
SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"
/home/vipin/.local/share/systemd/user/ 处的系统服务并使用激活套接字以启动 gpg-agent.service
gpg-agent-browser.socket
gpg-agent.socket
gpg-agent-extra.socket
gpg-agent-ssh.socket
gpg-agent.service
gpg-代理服务
[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
Requires=gpg-agent.socket
[Service]
ExecStart=/usr/bin/gpg-agent --supervised --enable-ssh-support
ExecReload=/usr/bin/gpgconf --reload gpg-agent
gpg-agent.socket
[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent
FileDescriptorName=std
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target
gpg-代理-ssh.socket
[Unit]
Description=GnuPG cryptographic agent (ssh-agent emulation)
Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.ssh
FileDescriptorName=ssh
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target
gpg-代理-额外套接字
[Unit]
Description=GnuPG cryptographic agent and passphrase cache (restricted)
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.extra
FileDescriptorName=extra
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target
gpg-代理-浏览器.socket
[Unit]
Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.browser
FileDescriptorName=browser
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target
配置上述设置后,我在 gpg 中创建了一个新的子密钥用于身份验证。
然后执行命令并在 /home/vipin/.local/share/gnupg/ 创建 sshcontrol,仅复制 Keygrip 进行身份验证。
gpg --list-keys --with-keygrip
当执行 systemctl --user status gpg-agent 时,我可以看到一些错误触发
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 4 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 5 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: using fd 6 for std socket (/run/user/1000/gnupg/S.gpg-agent)
Mar 05 13:19:58 vipin-pc gpg-agent[15051]: listening on: std=6 extra=4 browser=5 ssh=3
Mar 05 13:19:58 vipin-pc gpg-agent[15053]: scdaemon[15053]: pcsc_establish_context failed: no service (0x8010001d)
Mar 05 13:20:17 vipin-pc gpg-agent[15053]: scdaemon[15053]: pcsc_establish_context failed: no service (0x8010001d)
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: failed to unprotect the secret key: Inappropriate ioctl for device
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: failed to read the secret key
Mar 05 13:20:18 vipin-pc gpg-agent[15051]: ssh sign request failed: Inappropriate ioctl for device <Pinentry>
但是当我尝试执行 ssh-add -l 时,我可以看到连接
4096 SHA256:(无)(RSA)/0.0 秒
我也执行了 ps -eaf |grep gpg-agent 我可以看到 gpg-agent 使用套接字激活。
vipin 12147 573 0 12:00 ? 00:00:00 /usr/bin/gpg-agent --supervised --enable-ssh-support
当我尝试使用 gpg --export-ssh-key VipinBalakrishnan 时,我能够看到导出的公钥。
我在 azuredev 应用程序中使用了上述公钥。这样我就可以使用 SSH 密钥进行身份验证。
配置完所有内容后。当我尝试
git push
Getting below error
sign_and_send_pubkey: signing failed for RSA "(none)" from agent: agent refused operation
remote: Public key authentication failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
我浏览了 Arch Wiki 链接https://wiki.archlinux.org/index.php/GnuPG
我查看了故障排除部分。但没有得到任何线索。一些博客说它无法识别 tty。为此我执行了
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
输出
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established
但是上述命令创建了不带监督模式的 gpg-agent 的不同进程。它是守护进程。并且套接字会有所不同。当我执行 ps -eaf |grep gpg-agent 时,我可以看到它处于守护进程模式。
vipin 13327 1 0 12:52 ? 00:00:00 gpg-agent --homedir /home/vipin/.local/share/gnupg --use-standard-socket --daemon