8

I'm having a problem using the gpg-agent over ssh via a single command line.

Here is my configuration :

Server A : triggering the command via ssh.

ssh user@serverB "sudo -E /path/to/script.sh"

Server B : Executing the script requiring a passphrase signature.

System info : Ubuntu 12.04

I've setup the gpg-agent on the server B, I've added this configuration to the /home/user/.bashrc :

Invoke GnuPG-Agent the first time we login.                                                                          
# Does `~/.gpg-agent-info' exist and points to gpg-agent process accepting signals?                                    
if test -f $HOME/.gpg-agent-info && \
    kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
    GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info | cut -c 16-`
else
    # No, gpg-agent not available; start gpg-agent                                                                     
    eval `gpg-agent --daemon --write-env-file $HOME/.gpg-agent-info`
fi
export GPG_TTY=`tty`
export GPG_AGENT_INFO

Here is the configuration of the agent in /home/user/.gnupg/gpg-agent.conf :

enable-ssh-support
#1 year cache support
default-cache-ttl 31536000
default-cache-ttl-ssh 31536000
max-cache-ttl 31536000
max-cache-ttl-ssh 31536000
#debug-all

So in order to make this works, I connect to the serverB via ssh :

ssh user@serverB

The gpg-agent is started, I trigger manually the script:

sudo -E /path/to/script.sh

Then, the gpg-agent prompt me asking for a passphrase, once I've setup the passphrase, I can run the script again, and it's doing its task without asking for a passhprase.

My problem is, when I try to trigger it distantly, e.g. via : 

ssh user@serverB "sudo -E /path/to/script.sh"

It seems that the gpg-agent is not working, because the script keeps asking me for a passphrase.

Edit:

I've added the following content to /etc/sudoers.d/user in order to trigger the script distantly without the sudo password and to keep the environment variables :

user ALL=(ALL)NOPASSWD:SETENV:/path/to/script.sh

Any ideas?

Tony
  • 281
  • 3
  • 8
  • Forgive the question, but are you sure it's asking for a passphrase? With what you've shown above, I'd expect it to be asking for a **password**, to authenticate the `sudo` command. – MadHatter Dec 24 '13 at 11:53
  • I've managed the sudoers file with a NOPASSWD for the user/command I try to run distantly. I may need to precise this too. It is asking me for a passphrase. – Tony Dec 24 '13 at 12:02
  • OK, that makes sense; thanks for clarifying, I just wanted to make sure we weren't getting bitten by the obvious! – MadHatter Dec 24 '13 at 12:18

1 Answers1

1

When you login with ssh user@serverB then manually execute the script it will prompt you for the passphrase the first time, then when you execute the script shh-agent will provide the stored passphrase.

However when you run ssh user@serverB "sudo -E /path/to/script.sh you are doing a new login each time, and I don't think ssh-agent would support saving the passphrase over separate SSH logins.

Keychain appears to do what you require: http://www.funtoo.org/Keychain

With keychain, you only need to enter a passphrase once every time your local machine is rebooted. Keychain also makes it easy for remote cron jobs to securely "hook in" to a long running ssh-agent process, allowing your scripts to take advantage of key-based logins.

The current version of keychain supports gpg-agent as well as ssh-agent.

v25
  • 748
  • 1
  • 6
  • 13
  • As far as `ssh` chains go, you are wrong. I do this many times a day; `ssh` from host A to host B, then onto C, and then to D, with the ssh-agent at the head performing key operations the whole time. – MadHatter Dec 24 '13 at 12:21
  • My understanding is that he isn't trying to connect from A to B using the agent. Server B is setup as the ssh-agent client (for all intents and purposes) and when he executes `sudo -E /path/to/script.sh` on server B, something in here is requiring the passphrase. EDIT: Although, with your comment in mind, it may make more sense for him to configure A as the agent client, and use ssh-agent forwarding which it turn would allow him to execute the script on server B without it prompting for a passphrase. – v25 Dec 24 '13 at 12:28
  • Ok, I'll try to setup the gpg-agent on the server A. You got some information about ssh-agent forwarding? I've seen this post so far : http://superuser.com/questions/161973/how-can-i-forward-a-gpg-key-via-ssh-agent – Tony Dec 24 '13 at 13:03
  • This is well documented, here's a guide: http://livecipher.blogspot.co.uk/2013/02/ssh-agent-forwarding.html – v25 Dec 24 '13 at 13:31
  • v25, my apologies, looks like you were right. Tony, it'll never work if you run the agent on B, because the connection isn't persistent. – MadHatter Dec 24 '13 at 13:44
  • Thanks for the update guys ! I'll try this and I'll keep you informed ! – Tony Dec 24 '13 at 14:39
  • Little update guys, I've been playing with Keychain + gpg-agent. I'm currently able to cache a passhprase with the agent and to use it locally when I need to apply my command which require the passphrase. But it is still not working via ssh + sudo -E. – Tony Apr 24 '14 at 08:32