How to force GPG to use console-mode pinentry to prompt for passwords?
Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.
I tried unset DISPLAY but it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.
Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.
There is the --textmode command line switch but apparently, it does something else.
What would be the proper and clean way of getting plain-text pin entry for remote sessions?
linux ssh terminal console gnupg
asked Dec 18 '12 at 12:21
ccpizza
3,80932941
add a comment |
Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.
I tried unset DISPLAY but it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.
Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.
There is the --textmode command line switch but apparently, it does something else.
What would be the proper and clean way of getting plain-text pin entry for remote sessions?
linux ssh terminal console gnupg
asked Dec 18 '12 at 12:21
ccpizza
3,80932941
DISPLAY="" gpg2 ...helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary
– ThorSummoner
May 10 at 21:45
add a comment |
Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.
I tried unset DISPLAY but it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.
Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.
There is the --textmode command line switch but apparently, it does something else.
What would be the proper and clean way of getting plain-text pin entry for remote sessions?
linux ssh terminal console gnupg
asked Dec 18 '12 at 12:21
ccpizza
3,80932941
Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.
I tried unset DISPLAY but it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.
Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.
There is the --textmode command line switch but apparently, it does something else.
What would be the proper and clean way of getting plain-text pin entry for remote sessions?
linux ssh terminal console gnupg
linux ssh terminal console gnupg
asked Dec 18 '12 at 12:21
ccpizza
3,80932941
asked Dec 18 '12 at 12:21
ccpizza
3,80932941
edited Nov 19 '17 at 19:07
asked Dec 18 '12 at 12:21
ccpizza
3,80932941
asked Dec 18 '12 at 12:21
ccpizza
3,80932941
asked Dec 18 '12 at 12:21
ccpizza
3,80932941
3,80932941
DISPLAY="" gpg2 ...helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary
– ThorSummoner
May 10 at 21:45
add a comment |
DISPLAY="" gpg2 ...helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary
– ThorSummoner
May 10 at 21:45
DISPLAY="" gpg2 ... helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary– ThorSummoner
May 10 at 21:45
DISPLAY="" gpg2 ... helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary– ThorSummoner
May 10 at 21:45
add a comment |
7 Answers
7
active
oldest
votes
To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-tty
(In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)
Tell the GPG agent to reload configuration:
gpg-connect-agent reloadagent /bye
answered Dec 18 '12 at 13:58
grawity
232k35490546
7
It's not completely "sane". Normally,gpg-agentshould itself detect the presence or lack of$DISPLAYand choose the apropriate pinentry...
– grawity
Dec 19 '12 at 15:00
3
The agent is most likely capable of detecting the presence of a running xorg. But having aDISPLAYdefined does not necessarily mean I can or want to use it, for example, when connected over SSH.
– ccpizza
Dec 19 '12 at 17:34
2
@lfxgroove: the problem is thatsudoes not change the ownership of your TTY, so you need to manuallychownit. See this article.
– Rufflewind
Oct 9 '15 at 16:22
2
@Starx: You create one.
– grawity
Dec 8 '16 at 10:39
3
Another tip: to view all the available options, typels /usr/bin | grep pinentry. I seepinentry,pinentry-curses,pinentry-emacs,pinentry-gnome3,pinentry-gtk2,pinentry-qtandpinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of$DISPLAYissue.
– Jeffrey Lebowski
Jan 10 '17 at 12:56
|
show 9 more comments
I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:
gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
I then found this which worked for me, so in brief:
pico ~/.gnupg/gpg-agent.conf
# add: allow-loopback-pinentry
gpg-connect-agent reloadagent /bye
gpg2 --pinentry-mode loopback --import private.key
answered Oct 16 '17 at 15:49
racitup
6111
add a comment |
To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.
patrick@patrick-C504:~$ ssh localhost
patrick@localhost's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Mon Nov 16 22:48:53 2015 from localhost
patrick@patrick-C504:~$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Foo
Name must be at least 5 characters long
Real name: FooBar
Email address: foorbar@foo.bar
Comment:
You selected this USER-ID:
"FooBar <foorbar@foo.bar>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
gpg: gpg-agent is not available in this session
Enter passphrase:
answered Nov 16 '15 at 21:27
PvdL
1173
3
Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
– Ramhound
Nov 17 '15 at 12:26
ssh'ing to local host was enough for me, but optionally-x Disables X11 forwarding.should prevent any X11 forwarding. Answer is updated.
– PvdL
Nov 18 '15 at 9:45
I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
– unhammer
Jun 5 '16 at 13:29
add a comment |
I'll copy my answer from over here...
Looking at man pinentry-gnome3, I see this:
pinentry-gnome3 implements a PIN entry dialog based on GNOME 3, which
aims to follow the GNOME Human Interface Guidelines as closely as pos‐
sible. If the X Window System is not active then an alternative text-
mode dialog will be used. There are other flavors that implement PIN
entry dialogs using other tool kits.
Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:
> sudo update-alternatives --config pinentry
There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/pinentry-gnome3 90 auto mode
1 /usr/bin/pinentry-curses 50 manual mode
2 /usr/bin/pinentry-gnome3 90 manual mode
3 /usr/bin/pinentry-gtk-2 85 manual mode
Press <enter> to keep the current choice[*], or type selection number: 3
update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode
Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.
answered May 31 at 5:58
mblythe
7112
add a comment |
If you don't have it, install pinentry-curses with yum or apt-get.
Then, run:
sudo update-alternatives --config pinentry
And select pinentry-curses from the list.
answered Aug 11 at 19:07
Aiden Woodruff
112
add a comment |
I found the "full example" in PvdL's answer a bit confusing, here's what I do:
ssh -X machine
# work hack hack work until I need something from gpg
ssh -x localhost -p$port
gpg2 --decrypt file.gpg
# enter password to pinentry
exit
# now the key is unlocked in gpg-agent, and I can keep decrypting files
# from my X ssh session without being asked for the password
answered Jan 4 '17 at 11:03
unhammer
15810
add a comment |
On a debian box:
sudo apt install pinentry-tty
sudo update-alternatives --config pinentry
(and set it to pinentry-tty)
answered Dec 5 at 21:34
John Lawrence Aspden
4332719
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f520980%2fhow-to-force-gpg-to-use-console-mode-pinentry-to-prompt-for-passwords%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
7 Answers
7
active
oldest
votes
7 Answers
7
active
oldest
votes
active
oldest
votes
active
oldest
votes
To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-tty
(In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)
Tell the GPG agent to reload configuration:
gpg-connect-agent reloadagent /bye
answered Dec 18 '12 at 13:58
grawity
232k35490546
7
It's not completely "sane". Normally,gpg-agentshould itself detect the presence or lack of$DISPLAYand choose the apropriate pinentry...
– grawity
Dec 19 '12 at 15:00
3
The agent is most likely capable of detecting the presence of a running xorg. But having aDISPLAYdefined does not necessarily mean I can or want to use it, for example, when connected over SSH.
– ccpizza
Dec 19 '12 at 17:34
2
@lfxgroove: the problem is thatsudoes not change the ownership of your TTY, so you need to manuallychownit. See this article.
– Rufflewind
Oct 9 '15 at 16:22
2
@Starx: You create one.
– grawity
Dec 8 '16 at 10:39
3
Another tip: to view all the available options, typels /usr/bin | grep pinentry. I seepinentry,pinentry-curses,pinentry-emacs,pinentry-gnome3,pinentry-gtk2,pinentry-qtandpinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of$DISPLAYissue.
– Jeffrey Lebowski
Jan 10 '17 at 12:56
|
show 9 more comments
To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-tty
(In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)
Tell the GPG agent to reload configuration:
gpg-connect-agent reloadagent /bye
answered Dec 18 '12 at 13:58
grawity
232k35490546
7
It's not completely "sane". Normally,gpg-agentshould itself detect the presence or lack of$DISPLAYand choose the apropriate pinentry...
– grawity
Dec 19 '12 at 15:00
3
The agent is most likely capable of detecting the presence of a running xorg. But having aDISPLAYdefined does not necessarily mean I can or want to use it, for example, when connected over SSH.
– ccpizza
Dec 19 '12 at 17:34
2
@lfxgroove: the problem is thatsudoes not change the ownership of your TTY, so you need to manuallychownit. See this article.
– Rufflewind
Oct 9 '15 at 16:22
2
@Starx: You create one.
– grawity
Dec 8 '16 at 10:39
3
Another tip: to view all the available options, typels /usr/bin | grep pinentry. I seepinentry,pinentry-curses,pinentry-emacs,pinentry-gnome3,pinentry-gtk2,pinentry-qtandpinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of$DISPLAYissue.
– Jeffrey Lebowski
Jan 10 '17 at 12:56
|
show 9 more comments
To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-tty
(In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)
Tell the GPG agent to reload configuration:
gpg-connect-agent reloadagent /bye
answered Dec 18 '12 at 13:58
grawity
232k35490546
To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-tty
(In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)
Tell the GPG agent to reload configuration:
gpg-connect-agent reloadagent /bye
answered Dec 18 '12 at 13:58
grawity
232k35490546
edited May 22 '17 at 13:56
answered Dec 18 '12 at 13:58
grawity
232k35490546
answered Dec 18 '12 at 13:58
grawity
232k35490546
answered Dec 18 '12 at 13:58
grawity
232k35490546
232k35490546
7
It's not completely "sane". Normally,gpg-agentshould itself detect the presence or lack of$DISPLAYand choose the apropriate pinentry...
– grawity
Dec 19 '12 at 15:00
3
The agent is most likely capable of detecting the presence of a running xorg. But having aDISPLAYdefined does not necessarily mean I can or want to use it, for example, when connected over SSH.
– ccpizza
Dec 19 '12 at 17:34
2
@lfxgroove: the problem is thatsudoes not change the ownership of your TTY, so you need to manuallychownit. See this article.
– Rufflewind
Oct 9 '15 at 16:22
2
@Starx: You create one.
– grawity
Dec 8 '16 at 10:39
3
Another tip: to view all the available options, typels /usr/bin | grep pinentry. I seepinentry,pinentry-curses,pinentry-emacs,pinentry-gnome3,pinentry-gtk2,pinentry-qtandpinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of$DISPLAYissue.
– Jeffrey Lebowski
Jan 10 '17 at 12:56
|
show 9 more comments
7
It's not completely "sane". Normally,gpg-agentshould itself detect the presence or lack of$DISPLAYand choose the apropriate pinentry...
– grawity
Dec 19 '12 at 15:00
3
The agent is most likely capable of detecting the presence of a running xorg. But having aDISPLAYdefined does not necessarily mean I can or want to use it, for example, when connected over SSH.
– ccpizza
Dec 19 '12 at 17:34
2
@lfxgroove: the problem is thatsudoes not change the ownership of your TTY, so you need to manuallychownit. See this article.
– Rufflewind
Oct 9 '15 at 16:22
2
@Starx: You create one.
– grawity
Dec 8 '16 at 10:39
3
Another tip: to view all the available options, typels /usr/bin | grep pinentry. I seepinentry,pinentry-curses,pinentry-emacs,pinentry-gnome3,pinentry-gtk2,pinentry-qtandpinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of$DISPLAYissue.
– Jeffrey Lebowski
Jan 10 '17 at 12:56
7
7
It's not completely "sane". Normally,
gpg-agent should itself detect the presence or lack of $DISPLAY and choose the apropriate pinentry...– grawity
Dec 19 '12 at 15:00
It's not completely "sane". Normally,
gpg-agent should itself detect the presence or lack of $DISPLAY and choose the apropriate pinentry...– grawity
Dec 19 '12 at 15:00
3
3
The agent is most likely capable of detecting the presence of a running xorg. But having a
DISPLAY defined does not necessarily mean I can or want to use it, for example, when connected over SSH.– ccpizza
Dec 19 '12 at 17:34
The agent is most likely capable of detecting the presence of a running xorg. But having a
DISPLAY defined does not necessarily mean I can or want to use it, for example, when connected over SSH.– ccpizza
Dec 19 '12 at 17:34
2
2
@lfxgroove: the problem is that
su does not change the ownership of your TTY, so you need to manually chown it. See this article.– Rufflewind
Oct 9 '15 at 16:22
@lfxgroove: the problem is that
su does not change the ownership of your TTY, so you need to manually chown it. See this article.– Rufflewind
Oct 9 '15 at 16:22
2
2
@Starx: You create one.
– grawity
Dec 8 '16 at 10:39
@Starx: You create one.
– grawity
Dec 8 '16 at 10:39
3
3
Another tip: to view all the available options, type
ls /usr/bin | grep pinentry. I see pinentry, pinentry-curses, pinentry-emacs, pinentry-gnome3, pinentry-gtk2, pinentry-qt and pinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of $DISPLAY issue.– Jeffrey Lebowski
Jan 10 '17 at 12:56
Another tip: to view all the available options, type
ls /usr/bin | grep pinentry. I see pinentry, pinentry-curses, pinentry-emacs, pinentry-gnome3, pinentry-gtk2, pinentry-qt and pinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of $DISPLAY issue.– Jeffrey Lebowski
Jan 10 '17 at 12:56
|
show 9 more comments
I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:
gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
I then found this which worked for me, so in brief:
pico ~/.gnupg/gpg-agent.conf
# add: allow-loopback-pinentry
gpg-connect-agent reloadagent /bye
gpg2 --pinentry-mode loopback --import private.key
answered Oct 16 '17 at 15:49
racitup
6111
add a comment |
I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:
gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
I then found this which worked for me, so in brief:
pico ~/.gnupg/gpg-agent.conf
# add: allow-loopback-pinentry
gpg-connect-agent reloadagent /bye
gpg2 --pinentry-mode loopback --import private.key
answered Oct 16 '17 at 15:49
racitup
6111
add a comment |
I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:
gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
I then found this which worked for me, so in brief:
pico ~/.gnupg/gpg-agent.conf
# add: allow-loopback-pinentry
gpg-connect-agent reloadagent /bye
gpg2 --pinentry-mode loopback --import private.key
answered Oct 16 '17 at 15:49
racitup
6111
I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:
gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
I then found this which worked for me, so in brief:
pico ~/.gnupg/gpg-agent.conf
# add: allow-loopback-pinentry
gpg-connect-agent reloadagent /bye
gpg2 --pinentry-mode loopback --import private.key
answered Oct 16 '17 at 15:49
racitup
6111
answered Oct 16 '17 at 15:49
racitup
6111
answered Oct 16 '17 at 15:49
racitup
6111
answered Oct 16 '17 at 15:49
racitup
6111
6111
add a comment |
add a comment |
To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.
patrick@patrick-C504:~$ ssh localhost
patrick@localhost's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Mon Nov 16 22:48:53 2015 from localhost
patrick@patrick-C504:~$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Foo
Name must be at least 5 characters long
Real name: FooBar
Email address: foorbar@foo.bar
Comment:
You selected this USER-ID:
"FooBar <foorbar@foo.bar>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
gpg: gpg-agent is not available in this session
Enter passphrase:
answered Nov 16 '15 at 21:27
PvdL
1173
3
Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
– Ramhound
Nov 17 '15 at 12:26
ssh'ing to local host was enough for me, but optionally-x Disables X11 forwarding.should prevent any X11 forwarding. Answer is updated.
– PvdL
Nov 18 '15 at 9:45
I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
– unhammer
Jun 5 '16 at 13:29
add a comment |
To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.
patrick@patrick-C504:~$ ssh localhost
patrick@localhost's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Mon Nov 16 22:48:53 2015 from localhost
patrick@patrick-C504:~$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Foo
Name must be at least 5 characters long
Real name: FooBar
Email address: foorbar@foo.bar
Comment:
You selected this USER-ID:
"FooBar <foorbar@foo.bar>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
gpg: gpg-agent is not available in this session
Enter passphrase:
answered Nov 16 '15 at 21:27
PvdL
1173
3
Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
– Ramhound
Nov 17 '15 at 12:26
ssh'ing to local host was enough for me, but optionally-x Disables X11 forwarding.should prevent any X11 forwarding. Answer is updated.
– PvdL
Nov 18 '15 at 9:45
I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
– unhammer
Jun 5 '16 at 13:29
add a comment |
To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.
patrick@patrick-C504:~$ ssh localhost
patrick@localhost's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Mon Nov 16 22:48:53 2015 from localhost
patrick@patrick-C504:~$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Foo
Name must be at least 5 characters long
Real name: FooBar
Email address: foorbar@foo.bar
Comment:
You selected this USER-ID:
"FooBar <foorbar@foo.bar>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
gpg: gpg-agent is not available in this session
Enter passphrase:
answered Nov 16 '15 at 21:27
PvdL
1173
To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.
patrick@patrick-C504:~$ ssh localhost
patrick@localhost's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Mon Nov 16 22:48:53 2015 from localhost
patrick@patrick-C504:~$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Foo
Name must be at least 5 characters long
Real name: FooBar
Email address: foorbar@foo.bar
Comment:
You selected this USER-ID:
"FooBar <foorbar@foo.bar>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
gpg: gpg-agent is not available in this session
Enter passphrase:
answered Nov 16 '15 at 21:27
PvdL
1173
edited Nov 18 '15 at 9:54
answered Nov 16 '15 at 21:27
PvdL
1173
answered Nov 16 '15 at 21:27
PvdL
1173
answered Nov 16 '15 at 21:27
PvdL
1173
1173
3
Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
– Ramhound
Nov 17 '15 at 12:26
ssh'ing to local host was enough for me, but optionally-x Disables X11 forwarding.should prevent any X11 forwarding. Answer is updated.
– PvdL
Nov 18 '15 at 9:45
I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
– unhammer
Jun 5 '16 at 13:29
add a comment |
3
Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
– Ramhound
Nov 17 '15 at 12:26
ssh'ing to local host was enough for me, but optionally-x Disables X11 forwarding.should prevent any X11 forwarding. Answer is updated.
– PvdL
Nov 18 '15 at 9:45
I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
– unhammer
Jun 5 '16 at 13:29
3
3
Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
– Ramhound
Nov 17 '15 at 12:26
Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
– Ramhound
Nov 17 '15 at 12:26
ssh'ing to local host was enough for me, but optionally
-x Disables X11 forwarding. should prevent any X11 forwarding. Answer is updated.– PvdL
Nov 18 '15 at 9:45
ssh'ing to local host was enough for me, but optionally
-x Disables X11 forwarding. should prevent any X11 forwarding. Answer is updated.– PvdL
Nov 18 '15 at 9:45
I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
– unhammer
Jun 5 '16 at 13:29
I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
– unhammer
Jun 5 '16 at 13:29
add a comment |
I'll copy my answer from over here...
Looking at man pinentry-gnome3, I see this:
pinentry-gnome3 implements a PIN entry dialog based on GNOME 3, which
aims to follow the GNOME Human Interface Guidelines as closely as pos‐
sible. If the X Window System is not active then an alternative text-
mode dialog will be used. There are other flavors that implement PIN
entry dialogs using other tool kits.
Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:
> sudo update-alternatives --config pinentry
There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/pinentry-gnome3 90 auto mode
1 /usr/bin/pinentry-curses 50 manual mode
2 /usr/bin/pinentry-gnome3 90 manual mode
3 /usr/bin/pinentry-gtk-2 85 manual mode
Press <enter> to keep the current choice[*], or type selection number: 3
update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode
Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.
answered May 31 at 5:58
mblythe
7112
add a comment |
I'll copy my answer from over here...
Looking at man pinentry-gnome3, I see this:
pinentry-gnome3 implements a PIN entry dialog based on GNOME 3, which
aims to follow the GNOME Human Interface Guidelines as closely as pos‐
sible. If the X Window System is not active then an alternative text-
mode dialog will be used. There are other flavors that implement PIN
entry dialogs using other tool kits.
Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:
> sudo update-alternatives --config pinentry
There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/pinentry-gnome3 90 auto mode
1 /usr/bin/pinentry-curses 50 manual mode
2 /usr/bin/pinentry-gnome3 90 manual mode
3 /usr/bin/pinentry-gtk-2 85 manual mode
Press <enter> to keep the current choice[*], or type selection number: 3
update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode
Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.
answered May 31 at 5:58
mblythe
7112
add a comment |
I'll copy my answer from over here...
Looking at man pinentry-gnome3, I see this:
pinentry-gnome3 implements a PIN entry dialog based on GNOME 3, which
aims to follow the GNOME Human Interface Guidelines as closely as pos‐
sible. If the X Window System is not active then an alternative text-
mode dialog will be used. There are other flavors that implement PIN
entry dialogs using other tool kits.
Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:
> sudo update-alternatives --config pinentry
There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/pinentry-gnome3 90 auto mode
1 /usr/bin/pinentry-curses 50 manual mode
2 /usr/bin/pinentry-gnome3 90 manual mode
3 /usr/bin/pinentry-gtk-2 85 manual mode
Press <enter> to keep the current choice[*], or type selection number: 3
update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode
Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.
answered May 31 at 5:58
mblythe
7112
I'll copy my answer from over here...
Looking at man pinentry-gnome3, I see this:
pinentry-gnome3 implements a PIN entry dialog based on GNOME 3, which
aims to follow the GNOME Human Interface Guidelines as closely as pos‐
sible. If the X Window System is not active then an alternative text-
mode dialog will be used. There are other flavors that implement PIN
entry dialogs using other tool kits.
Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:
> sudo update-alternatives --config pinentry
There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/pinentry-gnome3 90 auto mode
1 /usr/bin/pinentry-curses 50 manual mode
2 /usr/bin/pinentry-gnome3 90 manual mode
3 /usr/bin/pinentry-gtk-2 85 manual mode
Press <enter> to keep the current choice[*], or type selection number: 3
update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode
Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.
answered May 31 at 5:58
mblythe
7112
answered May 31 at 5:58
mblythe
7112
answered May 31 at 5:58
mblythe
7112
answered May 31 at 5:58
mblythe
7112
7112
add a comment |
add a comment |
If you don't have it, install pinentry-curses with yum or apt-get.
Then, run:
sudo update-alternatives --config pinentry
And select pinentry-curses from the list.
answered Aug 11 at 19:07
Aiden Woodruff
112
add a comment |
If you don't have it, install pinentry-curses with yum or apt-get.
Then, run:
sudo update-alternatives --config pinentry
And select pinentry-curses from the list.
answered Aug 11 at 19:07
Aiden Woodruff
112
add a comment |
If you don't have it, install pinentry-curses with yum or apt-get.
Then, run:
sudo update-alternatives --config pinentry
And select pinentry-curses from the list.
answered Aug 11 at 19:07
Aiden Woodruff
112
If you don't have it, install pinentry-curses with yum or apt-get.
Then, run:
sudo update-alternatives --config pinentry
And select pinentry-curses from the list.
answered Aug 11 at 19:07
Aiden Woodruff
112
answered Aug 11 at 19:07
Aiden Woodruff
112
answered Aug 11 at 19:07
Aiden Woodruff
112
answered Aug 11 at 19:07
Aiden Woodruff
112
112
add a comment |
add a comment |
I found the "full example" in PvdL's answer a bit confusing, here's what I do:
ssh -X machine
# work hack hack work until I need something from gpg
ssh -x localhost -p$port
gpg2 --decrypt file.gpg
# enter password to pinentry
exit
# now the key is unlocked in gpg-agent, and I can keep decrypting files
# from my X ssh session without being asked for the password
answered Jan 4 '17 at 11:03
unhammer
15810
add a comment |
I found the "full example" in PvdL's answer a bit confusing, here's what I do:
ssh -X machine
# work hack hack work until I need something from gpg
ssh -x localhost -p$port
gpg2 --decrypt file.gpg
# enter password to pinentry
exit
# now the key is unlocked in gpg-agent, and I can keep decrypting files
# from my X ssh session without being asked for the password
answered Jan 4 '17 at 11:03
unhammer
15810
add a comment |
I found the "full example" in PvdL's answer a bit confusing, here's what I do:
ssh -X machine
# work hack hack work until I need something from gpg
ssh -x localhost -p$port
gpg2 --decrypt file.gpg
# enter password to pinentry
exit
# now the key is unlocked in gpg-agent, and I can keep decrypting files
# from my X ssh session without being asked for the password
answered Jan 4 '17 at 11:03
unhammer
15810
I found the "full example" in PvdL's answer a bit confusing, here's what I do:
ssh -X machine
# work hack hack work until I need something from gpg
ssh -x localhost -p$port
gpg2 --decrypt file.gpg
# enter password to pinentry
exit
# now the key is unlocked in gpg-agent, and I can keep decrypting files
# from my X ssh session without being asked for the password
answered Jan 4 '17 at 11:03
unhammer
15810
answered Jan 4 '17 at 11:03
unhammer
15810
answered Jan 4 '17 at 11:03
unhammer
15810
answered Jan 4 '17 at 11:03
unhammer
15810
15810
add a comment |
add a comment |
On a debian box:
sudo apt install pinentry-tty
sudo update-alternatives --config pinentry
(and set it to pinentry-tty)
answered Dec 5 at 21:34
John Lawrence Aspden
4332719
add a comment |
On a debian box:
sudo apt install pinentry-tty
sudo update-alternatives --config pinentry
(and set it to pinentry-tty)
answered Dec 5 at 21:34
John Lawrence Aspden
4332719
add a comment |
On a debian box:
sudo apt install pinentry-tty
sudo update-alternatives --config pinentry
(and set it to pinentry-tty)
answered Dec 5 at 21:34
John Lawrence Aspden
4332719
On a debian box:
sudo apt install pinentry-tty
sudo update-alternatives --config pinentry
(and set it to pinentry-tty)
answered Dec 5 at 21:34
John Lawrence Aspden
4332719
answered Dec 5 at 21:34
John Lawrence Aspden
4332719
answered Dec 5 at 21:34
John Lawrence Aspden
4332719
answered Dec 5 at 21:34
John Lawrence Aspden
4332719
4332719
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f520980%2fhow-to-force-gpg-to-use-console-mode-pinentry-to-prompt-for-passwords%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
DISPLAY="" gpg2 ...helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary– ThorSummoner
May 10 at 21:45