How to force GPG to use console-mode pinentry to prompt for passwords?

80

32

Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.

I tried unset DISPLAY but it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.

Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.

There is the --textmode command line switch but apparently, it does something else.

What would be the proper and clean way of getting plain-text pin entry for remote sessions?

ccpizza

Posted 2012-12-18T12:21:14.750

Reputation: 5 372

DISPLAY="" gpg2 ... helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary – ThorSummoner – 2018-05-10T21:45:50.940

Answers

94

To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/bin/pinentry-tty

(In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)

Tell the GPG agent to reload configuration:

gpg-connect-agent reloadagent /bye

user1686

Posted 2012-12-18T12:21:14.750

Reputation: 283 655

For anyone trying this via SSH where you've su/sudoed to the user: That doesn't seem to work at all. If you SSH to the computer as the user though (eg. ssh the_user@my.host.com instead of su - the_user) the correct pinentry program shows up without trouble. Hope that helps. – lfxgroove – 2015-02-09T16:52:20.777

Kubuntu 14.04 here. I had to first install pinentry-curses (it is a separate package apparently), then set DISPLAY='' before this would work. – Asfand Qazi – 2015-08-19T09:25:50.287

4

@lfxgroove: the problem is that su does not change the ownership of your TTY, so you need to manually chown it. See this article.

– Rufflewind – 2015-10-09T16:22:17.450

1What to do if there is no ~/.gnupg/gpg-agent.conf? – Starx – 2016-12-08T09:43:24.473

2@Starx: You create one. – user1686 – 2016-12-08T10:39:14.510

@grawity, haha thanks. I tried that already. And I noticed that it does ask a passphrase in a CLI application but not the TTY itself. Is there a way to set pinentry-program to use TTY? – Starx – 2016-12-08T10:48:57.863

Use the (recent) pinentry-tty. – user1686 – 2016-12-08T10:55:57.957

3Another tip: to view all the available options, type ls /usr/bin | grep pinentry. I see pinentry, pinentry-curses, pinentry-emacs, pinentry-gnome3, pinentry-gtk2, pinentry-qt and pinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of $DISPLAY issue. – Jeffrey Lebowski – 2017-01-10T12:56:14.290

1For those of you who might be getting errrors, make sure to use the absolute path to the pinentry program. (i.e., include /usr/bin) It won't work otherwise. – Avindra Goolcharan – 2017-06-24T19:11:25.150

In Ubuntu 16.04, pinentry-tty was available as a package ready to be installed. – Craig Hicks – 2018-05-01T11:48:01.710

Having done this, I was still getting an error: gpg: signing failed: Invalid IPC response. Appending pinentry-mode loopback to the gpg-agent.conf file fixed it. – irbanana – 2018-07-13T13:16:50.700

I had to add export GPG_TTY=$(tty) to my ~/.bashrc to get this to work – user304497 – 2019-09-19T15:47:17.033

Has anyone managed to get this working on Amazon Linux AMI 2018.03 release? pinentry-tty is not available and adding pinentry-curses to gpg-agent.conf has no effect. – Edward – 2019-12-16T01:50:23.440

9It's not completely "sane". Normally, gpg-agent should itself detect the presence or lack of $DISPLAY and choose the apropriate pinentry... – user1686 – 2012-12-19T15:00:26.663

7The agent is most likely capable of detecting the presence of a running xorg. But having a DISPLAY defined does not necessarily mean I can or want to use it, for example, when connected over SSH. – ccpizza – 2012-12-19T17:34:05.863

1You are right - I had X11 forwarding enabled. Never thought of the implications, though. Thanks again. – ccpizza – 2012-12-19T21:06:21.560

9

I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:

gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied
gpg: error building skey array: Permission denied

I then found this which worked for me, so in brief:

pico ~/.gnupg/gpg-agent.conf
# add: allow-loopback-pinentry
gpg-connect-agent reloadagent /bye
gpg2 --pinentry-mode loopback --import private.key

racitup

Posted 2012-12-18T12:21:14.750

Reputation: 91

6

On a debian box:

sudo apt install pinentry-tty
sudo update-alternatives --config pinentry

(and set it to pinentry-tty)

John Lawrence Aspden

Posted 2012-12-18T12:21:14.750

Reputation: 713

5

On Ubuntu 18.04, with the default installation of gpg 2.2.4, I have

/usr/bin/pinentry
/usr/bin/pinentry-gnome3
/usr/bin/pinentry-gtk-2
/usr/bin/pinentry-x11

I was able to do the following to have a text-based PIN entry:

export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null

Roc White

Posted 2012-12-18T12:21:14.750

Reputation: 81

3

I'll copy my answer from over here...

Looking at man pinentry-gnome3, I see this:

   pinentry-gnome3  implements  a PIN entry dialog based on GNOME 3, which
   aims to follow the GNOME Human Interface Guidelines as closely as  pos‐
   sible.   If the X Window System is not active then an alternative text-
   mode dialog will be used.  There are other flavors that  implement  PIN
   entry dialogs using other tool kits.

Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:

> sudo update-alternatives --config pinentry
There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).

  Selection    Path                      Priority   Status
------------------------------------------------------------
* 0            /usr/bin/pinentry-gnome3   90        auto mode
  1            /usr/bin/pinentry-curses   50        manual mode
  2            /usr/bin/pinentry-gnome3   90        manual mode
  3            /usr/bin/pinentry-gtk-2    85        manual mode

Press <enter> to keep the current choice[*], or type selection number: 3
update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode

Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.

mblythe

Posted 2012-12-18T12:21:14.750

Reputation: 161

3

If you don't have it, install pinentry-curses with yum or apt-get.

Then, run:

sudo update-alternatives --config pinentry

And select pinentry-curses from the list.

Aiden Woodruff

Posted 2012-12-18T12:21:14.750

Reputation: 31

1

To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.

patrick@patrick-C504:~$ ssh localhost
patrick@localhost's password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Mon Nov 16 22:48:53 2015 from localhost
patrick@patrick-C504:~$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Foo
Name must be at least 5 characters long
Real name: FooBar
Email address: foorbar@foo.bar
Comment: 
You selected this USER-ID:
    "FooBar <foorbar@foo.bar>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
Enter passphrase:

PvdL

Posted 2012-12-18T12:21:14.750

Reputation: 117

3Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information. – Ramhound – 2015-11-17T12:26:09.747

ssh'ing to local host was enough for me, but optionally -x Disables X11 forwarding. should prevent any X11 forwarding. Answer is updated. – PvdL – 2015-11-18T09:45:39.037

I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/ – unhammer – 2016-06-05T13:29:39.333

1

I found the "full example" in PvdL's answer a bit confusing, here's what I do:

ssh -X machine
# work hack hack work until I need something from gpg
ssh -x localhost -p$port
gpg2 --decrypt file.gpg
# enter password to pinentry
exit
# now the key is unlocked in gpg-agent, and I can keep decrypting files
# from my X ssh session without being asked for the password

unhammer

Posted 2012-12-18T12:21:14.750

Reputation: 183

0

If you do export GPG_TTY=$(tty) and unset DISPLAY it will give a TLI dialog box asking for the passphrase. Typing in the correct passphrase makes it decrypt.

If you do NOT do the above export of GPG_TTY and unset of DISPLAY it expects to use X Windows. If you launched your session (such as PuTTY) from an MS-Windows system with X11 forwarding turned on it wants to send the X-Window dialog to your MS Windows system. You can use an X emulator such as Exceed or Cygwin/X on Windows to allow the X-Window prompt for passphrase to appear on your MS-Windows box.

However, you can eliminate the need to set GPG_TTY and unset DISPLAY and getting either the TLI or GUI by running the command line with --batch option and putting the passphrase in with the --passphrase option:

gpg --batch --passphrase "<passphrase>" -o "<decrypted output file name>" --decrypt "<encrypted input file name>"

All 3 methods worked for me today on RHEL6 running gnupg2.

MensaWater

Posted 2012-12-18T12:21:14.750

Reputation: 1

2

According to Roc White’s answer, export GPG_TTY=$(tty) is sufficient.  Have you tried that?  Do you have a reference that says that unset DISPLAY is also necessary? P.S. People don’t like to put passphrases on the command line.

– Scott – 2019-05-30T19:24:01.107

Asked: 2012-12-18T12:21:14.750

Viewed: 58 722 times

Active: 2019-05-30T20:53:43.900