1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
gpg-agent system integration
============================
Since 2.1.x, gpg and most related processes will auto-launch gpg-agent
if needed. These auto-launched processes will inherit whatever
environment they started from, and they will not terminate
automatically.
systemd
=======
Since 2.1.17, users on machines with systemd will have their gpg-agent
process launched automatically by systemd's user session, upon first
access of any of the expected gpg-agent sockets (including the ssh
socket). systemd will also cleanly tear this process down at session
logout.
If dbus-user-session and pinentry-gnome3 packages are installed, then
all user interaction with this systemd-managed gpg-agent process
(e.g. prompting for passwords or confirmations, etc) will take place
over the d-bus session, for better integration with graphical
environments like GNOME.
Users who don't want systemd to manage their gpg-agent in this way for
all future sessions should do:
systemctl --user mask --now gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket
Doing this means that gpg-agent will fall back to its manual mode of
operation. (This decision can be reversed by the user with "unmask"
instead of "mask")
See systemctl(1) for more details about managing the gpg-agent*.socket
units.
ssh-agent emulation
===================
gpg-agent offers an ssh-agent emulation which can be achieved by
setting the environment variable SSH_AUTH_SOCK to:
/run/user/$(id -u)/gnupg/S.gpg-agent.ssh
(replace $(id -u) with the user's numeric user ID, of course).
But ssh doesn't have a way to tell ssh-agent how to prompt the user
when necessary; the systemd-managed gpg-agent process will only know
how to prompt the user if you have dbus-user-session and
pinentry-gnome3 installed. This is the recommended configuration for
gpg-agent's ssh-agent emulation on desktop machines running systemd,
and doesn't need any additional configuration.
However, if dbus-user-session and pinentry-gnome3 are not in use, by
default the systemd-managed gpg-agent will not know how to get
feedback from the user when a request is first received by ssh. You
can give it a hint for all future ssh connections by running:
gpg-connect-agent updatestartuptty /bye
You may wish to do this in the login scripts for your user session if
you run systemd without dbus-user-session and pinentry-gnome3, and you
plan to use gpg-agent's ssh-agent emulation.
Manual gpg-agent startup and teardown
=====================================
Any user who wants to launch gpg-agent manually (e.g., to talk to it
with a tool from outside the GnuPG suite) and is *not* using systemd
should first ensure that it is launched with:
gpgconf --launch gpg-agent
If gpg-agent is launched manually or automatically (but not supervised
by systemd), you probably want to ensure that it terminates when your
session ends with:
gpgconf --kill gpg-agent
If you're not using systemd, you may wish to add this to your session
logout scripts.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mon, 23 Jan 2017 22:56:08 -0500
|
