How to force GPG to use console-mode pinentry to prompt for passwords?












62














Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.



I tried unset DISPLAY but it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.



Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.



There is the --textmode command line switch but apparently, it does something else.



What would be the proper and clean way of getting plain-text pin entry for remote sessions?










share|improve this question
























  • DISPLAY="" gpg2 ... helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary
    – ThorSummoner
    May 10 at 21:45
















62














Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.



I tried unset DISPLAY but it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.



Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.



There is the --textmode command line switch but apparently, it does something else.



What would be the proper and clean way of getting plain-text pin entry for remote sessions?










share|improve this question
























  • DISPLAY="" gpg2 ... helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary
    – ThorSummoner
    May 10 at 21:45














62












62








62


21





Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.



I tried unset DISPLAY but it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.



Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.



There is the --textmode command line switch but apparently, it does something else.



What would be the proper and clean way of getting plain-text pin entry for remote sessions?










share|improve this question















Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.



I tried unset DISPLAY but it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.



Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.



There is the --textmode command line switch but apparently, it does something else.



What would be the proper and clean way of getting plain-text pin entry for remote sessions?







linux ssh terminal console gnupg






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 19 '17 at 19:07

























asked Dec 18 '12 at 12:21









ccpizza

3,80932941




3,80932941












  • DISPLAY="" gpg2 ... helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary
    – ThorSummoner
    May 10 at 21:45


















  • DISPLAY="" gpg2 ... helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary
    – ThorSummoner
    May 10 at 21:45
















DISPLAY="" gpg2 ... helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary
– ThorSummoner
May 10 at 21:45




DISPLAY="" gpg2 ... helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary
– ThorSummoner
May 10 at 21:45










7 Answers
7






active

oldest

votes


















76














To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:



pinentry-program /usr/bin/pinentry-tty


(In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)



Tell the GPG agent to reload configuration:



gpg-connect-agent reloadagent /bye





share|improve this answer



















  • 7




    It's not completely "sane". Normally, gpg-agent should itself detect the presence or lack of $DISPLAY and choose the apropriate pinentry...
    – grawity
    Dec 19 '12 at 15:00






  • 3




    The agent is most likely capable of detecting the presence of a running xorg. But having a DISPLAY defined does not necessarily mean I can or want to use it, for example, when connected over SSH.
    – ccpizza
    Dec 19 '12 at 17:34






  • 2




    @lfxgroove: the problem is that su does not change the ownership of your TTY, so you need to manually chown it. See this article.
    – Rufflewind
    Oct 9 '15 at 16:22








  • 2




    @Starx: You create one.
    – grawity
    Dec 8 '16 at 10:39






  • 3




    Another tip: to view all the available options, type ls /usr/bin | grep pinentry. I see pinentry, pinentry-curses, pinentry-emacs, pinentry-gnome3, pinentry-gtk2, pinentry-qt and pinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of $DISPLAY issue.
    – Jeffrey Lebowski
    Jan 10 '17 at 12:56



















6














I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:




gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied

gpg: error building skey array: Permission denied




I then found this which worked for me, so in brief:



pico ~/.gnupg/gpg-agent.conf
# add: allow-loopback-pinentry
gpg-connect-agent reloadagent /bye
gpg2 --pinentry-mode loopback --import private.key





share|improve this answer





























    1














    To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.



    patrick@patrick-C504:~$ ssh localhost
    patrick@localhost's password:
    Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)

    * Documentation: https://help.ubuntu.com/

    Last login: Mon Nov 16 22:48:53 2015 from localhost
    patrick@patrick-C504:~$ gpg --gen-key
    gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
    Your selection? 4
    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048)
    Requested keysize is 2048 bits
    Please specify how long the key should be valid.
    0 = key does not expire
    <n> = key expires in n days
    <n>w = key expires in n weeks
    <n>m = key expires in n months
    <n>y = key expires in n years
    Key is valid for? (0)
    Key does not expire at all
    Is this correct? (y/N) y

    You need a user ID to identify your key; the software constructs the user ID
    from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

    Real name: Foo
    Name must be at least 5 characters long
    Real name: FooBar
    Email address: foorbar@foo.bar
    Comment:
    You selected this USER-ID:
    "FooBar <foorbar@foo.bar>"

    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
    You need a Passphrase to protect your secret key.

    gpg: gpg-agent is not available in this session
    Enter passphrase:





    share|improve this answer



















    • 3




      Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
      – Ramhound
      Nov 17 '15 at 12:26










    • ssh'ing to local host was enough for me, but optionally -x Disables X11 forwarding. should prevent any X11 forwarding. Answer is updated.
      – PvdL
      Nov 18 '15 at 9:45










    • I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
      – unhammer
      Jun 5 '16 at 13:29





















    1














    I'll copy my answer from over here...



    Looking at man pinentry-gnome3, I see this:



       pinentry-gnome3  implements  a PIN entry dialog based on GNOME 3, which
    aims to follow the GNOME Human Interface Guidelines as closely as pos‐
    sible. If the X Window System is not active then an alternative text-
    mode dialog will be used. There are other flavors that implement PIN
    entry dialogs using other tool kits.


    Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:



    > sudo update-alternatives --config pinentry
    There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).

    Selection Path Priority Status
    ------------------------------------------------------------
    * 0 /usr/bin/pinentry-gnome3 90 auto mode
    1 /usr/bin/pinentry-curses 50 manual mode
    2 /usr/bin/pinentry-gnome3 90 manual mode
    3 /usr/bin/pinentry-gtk-2 85 manual mode

    Press <enter> to keep the current choice[*], or type selection number: 3
    update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode


    Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.






    share|improve this answer





























      1














      If you don't have it, install pinentry-curses with yum or apt-get.



      Then, run:



      sudo update-alternatives --config pinentry



      And select pinentry-curses from the list.






      share|improve this answer





























        0














        I found the "full example" in PvdL's answer a bit confusing, here's what I do:



        ssh -X machine
        # work hack hack work until I need something from gpg
        ssh -x localhost -p$port
        gpg2 --decrypt file.gpg
        # enter password to pinentry
        exit
        # now the key is unlocked in gpg-agent, and I can keep decrypting files
        # from my X ssh session without being asked for the password





        share|improve this answer





























          0














          On a debian box:



          sudo apt install pinentry-tty
          sudo update-alternatives --config pinentry


          (and set it to pinentry-tty)






          share|improve this answer





















            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f520980%2fhow-to-force-gpg-to-use-console-mode-pinentry-to-prompt-for-passwords%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            7 Answers
            7






            active

            oldest

            votes








            7 Answers
            7






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            76














            To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:



            pinentry-program /usr/bin/pinentry-tty


            (In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)



            Tell the GPG agent to reload configuration:



            gpg-connect-agent reloadagent /bye





            share|improve this answer



















            • 7




              It's not completely "sane". Normally, gpg-agent should itself detect the presence or lack of $DISPLAY and choose the apropriate pinentry...
              – grawity
              Dec 19 '12 at 15:00






            • 3




              The agent is most likely capable of detecting the presence of a running xorg. But having a DISPLAY defined does not necessarily mean I can or want to use it, for example, when connected over SSH.
              – ccpizza
              Dec 19 '12 at 17:34






            • 2




              @lfxgroove: the problem is that su does not change the ownership of your TTY, so you need to manually chown it. See this article.
              – Rufflewind
              Oct 9 '15 at 16:22








            • 2




              @Starx: You create one.
              – grawity
              Dec 8 '16 at 10:39






            • 3




              Another tip: to view all the available options, type ls /usr/bin | grep pinentry. I see pinentry, pinentry-curses, pinentry-emacs, pinentry-gnome3, pinentry-gtk2, pinentry-qt and pinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of $DISPLAY issue.
              – Jeffrey Lebowski
              Jan 10 '17 at 12:56
















            76














            To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:



            pinentry-program /usr/bin/pinentry-tty


            (In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)



            Tell the GPG agent to reload configuration:



            gpg-connect-agent reloadagent /bye





            share|improve this answer



















            • 7




              It's not completely "sane". Normally, gpg-agent should itself detect the presence or lack of $DISPLAY and choose the apropriate pinentry...
              – grawity
              Dec 19 '12 at 15:00






            • 3




              The agent is most likely capable of detecting the presence of a running xorg. But having a DISPLAY defined does not necessarily mean I can or want to use it, for example, when connected over SSH.
              – ccpizza
              Dec 19 '12 at 17:34






            • 2




              @lfxgroove: the problem is that su does not change the ownership of your TTY, so you need to manually chown it. See this article.
              – Rufflewind
              Oct 9 '15 at 16:22








            • 2




              @Starx: You create one.
              – grawity
              Dec 8 '16 at 10:39






            • 3




              Another tip: to view all the available options, type ls /usr/bin | grep pinentry. I see pinentry, pinentry-curses, pinentry-emacs, pinentry-gnome3, pinentry-gtk2, pinentry-qt and pinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of $DISPLAY issue.
              – Jeffrey Lebowski
              Jan 10 '17 at 12:56














            76












            76








            76






            To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:



            pinentry-program /usr/bin/pinentry-tty


            (In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)



            Tell the GPG agent to reload configuration:



            gpg-connect-agent reloadagent /bye





            share|improve this answer














            To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:



            pinentry-program /usr/bin/pinentry-tty


            (In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)



            Tell the GPG agent to reload configuration:



            gpg-connect-agent reloadagent /bye






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited May 22 '17 at 13:56

























            answered Dec 18 '12 at 13:58









            grawity

            232k35490546




            232k35490546








            • 7




              It's not completely "sane". Normally, gpg-agent should itself detect the presence or lack of $DISPLAY and choose the apropriate pinentry...
              – grawity
              Dec 19 '12 at 15:00






            • 3




              The agent is most likely capable of detecting the presence of a running xorg. But having a DISPLAY defined does not necessarily mean I can or want to use it, for example, when connected over SSH.
              – ccpizza
              Dec 19 '12 at 17:34






            • 2




              @lfxgroove: the problem is that su does not change the ownership of your TTY, so you need to manually chown it. See this article.
              – Rufflewind
              Oct 9 '15 at 16:22








            • 2




              @Starx: You create one.
              – grawity
              Dec 8 '16 at 10:39






            • 3




              Another tip: to view all the available options, type ls /usr/bin | grep pinentry. I see pinentry, pinentry-curses, pinentry-emacs, pinentry-gnome3, pinentry-gtk2, pinentry-qt and pinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of $DISPLAY issue.
              – Jeffrey Lebowski
              Jan 10 '17 at 12:56














            • 7




              It's not completely "sane". Normally, gpg-agent should itself detect the presence or lack of $DISPLAY and choose the apropriate pinentry...
              – grawity
              Dec 19 '12 at 15:00






            • 3




              The agent is most likely capable of detecting the presence of a running xorg. But having a DISPLAY defined does not necessarily mean I can or want to use it, for example, when connected over SSH.
              – ccpizza
              Dec 19 '12 at 17:34






            • 2




              @lfxgroove: the problem is that su does not change the ownership of your TTY, so you need to manually chown it. See this article.
              – Rufflewind
              Oct 9 '15 at 16:22








            • 2




              @Starx: You create one.
              – grawity
              Dec 8 '16 at 10:39






            • 3




              Another tip: to view all the available options, type ls /usr/bin | grep pinentry. I see pinentry, pinentry-curses, pinentry-emacs, pinentry-gnome3, pinentry-gtk2, pinentry-qt and pinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of $DISPLAY issue.
              – Jeffrey Lebowski
              Jan 10 '17 at 12:56








            7




            7




            It's not completely "sane". Normally, gpg-agent should itself detect the presence or lack of $DISPLAY and choose the apropriate pinentry...
            – grawity
            Dec 19 '12 at 15:00




            It's not completely "sane". Normally, gpg-agent should itself detect the presence or lack of $DISPLAY and choose the apropriate pinentry...
            – grawity
            Dec 19 '12 at 15:00




            3




            3




            The agent is most likely capable of detecting the presence of a running xorg. But having a DISPLAY defined does not necessarily mean I can or want to use it, for example, when connected over SSH.
            – ccpizza
            Dec 19 '12 at 17:34




            The agent is most likely capable of detecting the presence of a running xorg. But having a DISPLAY defined does not necessarily mean I can or want to use it, for example, when connected over SSH.
            – ccpizza
            Dec 19 '12 at 17:34




            2




            2




            @lfxgroove: the problem is that su does not change the ownership of your TTY, so you need to manually chown it. See this article.
            – Rufflewind
            Oct 9 '15 at 16:22






            @lfxgroove: the problem is that su does not change the ownership of your TTY, so you need to manually chown it. See this article.
            – Rufflewind
            Oct 9 '15 at 16:22






            2




            2




            @Starx: You create one.
            – grawity
            Dec 8 '16 at 10:39




            @Starx: You create one.
            – grawity
            Dec 8 '16 at 10:39




            3




            3




            Another tip: to view all the available options, type ls /usr/bin | grep pinentry. I see pinentry, pinentry-curses, pinentry-emacs, pinentry-gnome3, pinentry-gtk2, pinentry-qt and pinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of $DISPLAY issue.
            – Jeffrey Lebowski
            Jan 10 '17 at 12:56




            Another tip: to view all the available options, type ls /usr/bin | grep pinentry. I see pinentry, pinentry-curses, pinentry-emacs, pinentry-gnome3, pinentry-gtk2, pinentry-qt and pinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of $DISPLAY issue.
            – Jeffrey Lebowski
            Jan 10 '17 at 12:56













            6














            I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:




            gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied

            gpg: error building skey array: Permission denied




            I then found this which worked for me, so in brief:



            pico ~/.gnupg/gpg-agent.conf
            # add: allow-loopback-pinentry
            gpg-connect-agent reloadagent /bye
            gpg2 --pinentry-mode loopback --import private.key





            share|improve this answer


























              6














              I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:




              gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied

              gpg: error building skey array: Permission denied




              I then found this which worked for me, so in brief:



              pico ~/.gnupg/gpg-agent.conf
              # add: allow-loopback-pinentry
              gpg-connect-agent reloadagent /bye
              gpg2 --pinentry-mode loopback --import private.key





              share|improve this answer
























                6












                6








                6






                I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:




                gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied

                gpg: error building skey array: Permission denied




                I then found this which worked for me, so in brief:



                pico ~/.gnupg/gpg-agent.conf
                # add: allow-loopback-pinentry
                gpg-connect-agent reloadagent /bye
                gpg2 --pinentry-mode loopback --import private.key





                share|improve this answer












                I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:




                gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied

                gpg: error building skey array: Permission denied




                I then found this which worked for me, so in brief:



                pico ~/.gnupg/gpg-agent.conf
                # add: allow-loopback-pinentry
                gpg-connect-agent reloadagent /bye
                gpg2 --pinentry-mode loopback --import private.key






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Oct 16 '17 at 15:49









                racitup

                6111




                6111























                    1














                    To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.



                    patrick@patrick-C504:~$ ssh localhost
                    patrick@localhost's password:
                    Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)

                    * Documentation: https://help.ubuntu.com/

                    Last login: Mon Nov 16 22:48:53 2015 from localhost
                    patrick@patrick-C504:~$ gpg --gen-key
                    gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
                    This is free software: you are free to change and redistribute it.
                    There is NO WARRANTY, to the extent permitted by law.

                    Please select what kind of key you want:
                    (1) RSA and RSA (default)
                    (2) DSA and Elgamal
                    (3) DSA (sign only)
                    (4) RSA (sign only)
                    Your selection? 4
                    RSA keys may be between 1024 and 4096 bits long.
                    What keysize do you want? (2048)
                    Requested keysize is 2048 bits
                    Please specify how long the key should be valid.
                    0 = key does not expire
                    <n> = key expires in n days
                    <n>w = key expires in n weeks
                    <n>m = key expires in n months
                    <n>y = key expires in n years
                    Key is valid for? (0)
                    Key does not expire at all
                    Is this correct? (y/N) y

                    You need a user ID to identify your key; the software constructs the user ID
                    from the Real Name, Comment and Email Address in this form:
                    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

                    Real name: Foo
                    Name must be at least 5 characters long
                    Real name: FooBar
                    Email address: foorbar@foo.bar
                    Comment:
                    You selected this USER-ID:
                    "FooBar <foorbar@foo.bar>"

                    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
                    You need a Passphrase to protect your secret key.

                    gpg: gpg-agent is not available in this session
                    Enter passphrase:





                    share|improve this answer



















                    • 3




                      Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
                      – Ramhound
                      Nov 17 '15 at 12:26










                    • ssh'ing to local host was enough for me, but optionally -x Disables X11 forwarding. should prevent any X11 forwarding. Answer is updated.
                      – PvdL
                      Nov 18 '15 at 9:45










                    • I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
                      – unhammer
                      Jun 5 '16 at 13:29


















                    1














                    To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.



                    patrick@patrick-C504:~$ ssh localhost
                    patrick@localhost's password:
                    Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)

                    * Documentation: https://help.ubuntu.com/

                    Last login: Mon Nov 16 22:48:53 2015 from localhost
                    patrick@patrick-C504:~$ gpg --gen-key
                    gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
                    This is free software: you are free to change and redistribute it.
                    There is NO WARRANTY, to the extent permitted by law.

                    Please select what kind of key you want:
                    (1) RSA and RSA (default)
                    (2) DSA and Elgamal
                    (3) DSA (sign only)
                    (4) RSA (sign only)
                    Your selection? 4
                    RSA keys may be between 1024 and 4096 bits long.
                    What keysize do you want? (2048)
                    Requested keysize is 2048 bits
                    Please specify how long the key should be valid.
                    0 = key does not expire
                    <n> = key expires in n days
                    <n>w = key expires in n weeks
                    <n>m = key expires in n months
                    <n>y = key expires in n years
                    Key is valid for? (0)
                    Key does not expire at all
                    Is this correct? (y/N) y

                    You need a user ID to identify your key; the software constructs the user ID
                    from the Real Name, Comment and Email Address in this form:
                    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

                    Real name: Foo
                    Name must be at least 5 characters long
                    Real name: FooBar
                    Email address: foorbar@foo.bar
                    Comment:
                    You selected this USER-ID:
                    "FooBar <foorbar@foo.bar>"

                    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
                    You need a Passphrase to protect your secret key.

                    gpg: gpg-agent is not available in this session
                    Enter passphrase:





                    share|improve this answer



















                    • 3




                      Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
                      – Ramhound
                      Nov 17 '15 at 12:26










                    • ssh'ing to local host was enough for me, but optionally -x Disables X11 forwarding. should prevent any X11 forwarding. Answer is updated.
                      – PvdL
                      Nov 18 '15 at 9:45










                    • I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
                      – unhammer
                      Jun 5 '16 at 13:29
















                    1












                    1








                    1






                    To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.



                    patrick@patrick-C504:~$ ssh localhost
                    patrick@localhost's password:
                    Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)

                    * Documentation: https://help.ubuntu.com/

                    Last login: Mon Nov 16 22:48:53 2015 from localhost
                    patrick@patrick-C504:~$ gpg --gen-key
                    gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
                    This is free software: you are free to change and redistribute it.
                    There is NO WARRANTY, to the extent permitted by law.

                    Please select what kind of key you want:
                    (1) RSA and RSA (default)
                    (2) DSA and Elgamal
                    (3) DSA (sign only)
                    (4) RSA (sign only)
                    Your selection? 4
                    RSA keys may be between 1024 and 4096 bits long.
                    What keysize do you want? (2048)
                    Requested keysize is 2048 bits
                    Please specify how long the key should be valid.
                    0 = key does not expire
                    <n> = key expires in n days
                    <n>w = key expires in n weeks
                    <n>m = key expires in n months
                    <n>y = key expires in n years
                    Key is valid for? (0)
                    Key does not expire at all
                    Is this correct? (y/N) y

                    You need a user ID to identify your key; the software constructs the user ID
                    from the Real Name, Comment and Email Address in this form:
                    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

                    Real name: Foo
                    Name must be at least 5 characters long
                    Real name: FooBar
                    Email address: foorbar@foo.bar
                    Comment:
                    You selected this USER-ID:
                    "FooBar <foorbar@foo.bar>"

                    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
                    You need a Passphrase to protect your secret key.

                    gpg: gpg-agent is not available in this session
                    Enter passphrase:





                    share|improve this answer














                    To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.



                    patrick@patrick-C504:~$ ssh localhost
                    patrick@localhost's password:
                    Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)

                    * Documentation: https://help.ubuntu.com/

                    Last login: Mon Nov 16 22:48:53 2015 from localhost
                    patrick@patrick-C504:~$ gpg --gen-key
                    gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
                    This is free software: you are free to change and redistribute it.
                    There is NO WARRANTY, to the extent permitted by law.

                    Please select what kind of key you want:
                    (1) RSA and RSA (default)
                    (2) DSA and Elgamal
                    (3) DSA (sign only)
                    (4) RSA (sign only)
                    Your selection? 4
                    RSA keys may be between 1024 and 4096 bits long.
                    What keysize do you want? (2048)
                    Requested keysize is 2048 bits
                    Please specify how long the key should be valid.
                    0 = key does not expire
                    <n> = key expires in n days
                    <n>w = key expires in n weeks
                    <n>m = key expires in n months
                    <n>y = key expires in n years
                    Key is valid for? (0)
                    Key does not expire at all
                    Is this correct? (y/N) y

                    You need a user ID to identify your key; the software constructs the user ID
                    from the Real Name, Comment and Email Address in this form:
                    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

                    Real name: Foo
                    Name must be at least 5 characters long
                    Real name: FooBar
                    Email address: foorbar@foo.bar
                    Comment:
                    You selected this USER-ID:
                    "FooBar <foorbar@foo.bar>"

                    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
                    You need a Passphrase to protect your secret key.

                    gpg: gpg-agent is not available in this session
                    Enter passphrase:






                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Nov 18 '15 at 9:54

























                    answered Nov 16 '15 at 21:27









                    PvdL

                    1173




                    1173








                    • 3




                      Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
                      – Ramhound
                      Nov 17 '15 at 12:26










                    • ssh'ing to local host was enough for me, but optionally -x Disables X11 forwarding. should prevent any X11 forwarding. Answer is updated.
                      – PvdL
                      Nov 18 '15 at 9:45










                    • I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
                      – unhammer
                      Jun 5 '16 at 13:29
















                    • 3




                      Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
                      – Ramhound
                      Nov 17 '15 at 12:26










                    • ssh'ing to local host was enough for me, but optionally -x Disables X11 forwarding. should prevent any X11 forwarding. Answer is updated.
                      – PvdL
                      Nov 18 '15 at 9:45










                    • I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
                      – unhammer
                      Jun 5 '16 at 13:29










                    3




                    3




                    Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
                    – Ramhound
                    Nov 17 '15 at 12:26




                    Which X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
                    – Ramhound
                    Nov 17 '15 at 12:26












                    ssh'ing to local host was enough for me, but optionally -x Disables X11 forwarding. should prevent any X11 forwarding. Answer is updated.
                    – PvdL
                    Nov 18 '15 at 9:45




                    ssh'ing to local host was enough for me, but optionally -x Disables X11 forwarding. should prevent any X11 forwarding. Answer is updated.
                    – PvdL
                    Nov 18 '15 at 9:45












                    I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
                    – unhammer
                    Jun 5 '16 at 13:29






                    I prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
                    – unhammer
                    Jun 5 '16 at 13:29













                    1














                    I'll copy my answer from over here...



                    Looking at man pinentry-gnome3, I see this:



                       pinentry-gnome3  implements  a PIN entry dialog based on GNOME 3, which
                    aims to follow the GNOME Human Interface Guidelines as closely as pos‐
                    sible. If the X Window System is not active then an alternative text-
                    mode dialog will be used. There are other flavors that implement PIN
                    entry dialogs using other tool kits.


                    Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:



                    > sudo update-alternatives --config pinentry
                    There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).

                    Selection Path Priority Status
                    ------------------------------------------------------------
                    * 0 /usr/bin/pinentry-gnome3 90 auto mode
                    1 /usr/bin/pinentry-curses 50 manual mode
                    2 /usr/bin/pinentry-gnome3 90 manual mode
                    3 /usr/bin/pinentry-gtk-2 85 manual mode

                    Press <enter> to keep the current choice[*], or type selection number: 3
                    update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode


                    Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.






                    share|improve this answer


























                      1














                      I'll copy my answer from over here...



                      Looking at man pinentry-gnome3, I see this:



                         pinentry-gnome3  implements  a PIN entry dialog based on GNOME 3, which
                      aims to follow the GNOME Human Interface Guidelines as closely as pos‐
                      sible. If the X Window System is not active then an alternative text-
                      mode dialog will be used. There are other flavors that implement PIN
                      entry dialogs using other tool kits.


                      Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:



                      > sudo update-alternatives --config pinentry
                      There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).

                      Selection Path Priority Status
                      ------------------------------------------------------------
                      * 0 /usr/bin/pinentry-gnome3 90 auto mode
                      1 /usr/bin/pinentry-curses 50 manual mode
                      2 /usr/bin/pinentry-gnome3 90 manual mode
                      3 /usr/bin/pinentry-gtk-2 85 manual mode

                      Press <enter> to keep the current choice[*], or type selection number: 3
                      update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode


                      Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.






                      share|improve this answer
























                        1












                        1








                        1






                        I'll copy my answer from over here...



                        Looking at man pinentry-gnome3, I see this:



                           pinentry-gnome3  implements  a PIN entry dialog based on GNOME 3, which
                        aims to follow the GNOME Human Interface Guidelines as closely as pos‐
                        sible. If the X Window System is not active then an alternative text-
                        mode dialog will be used. There are other flavors that implement PIN
                        entry dialogs using other tool kits.


                        Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:



                        > sudo update-alternatives --config pinentry
                        There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).

                        Selection Path Priority Status
                        ------------------------------------------------------------
                        * 0 /usr/bin/pinentry-gnome3 90 auto mode
                        1 /usr/bin/pinentry-curses 50 manual mode
                        2 /usr/bin/pinentry-gnome3 90 manual mode
                        3 /usr/bin/pinentry-gtk-2 85 manual mode

                        Press <enter> to keep the current choice[*], or type selection number: 3
                        update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode


                        Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.






                        share|improve this answer












                        I'll copy my answer from over here...



                        Looking at man pinentry-gnome3, I see this:



                           pinentry-gnome3  implements  a PIN entry dialog based on GNOME 3, which
                        aims to follow the GNOME Human Interface Guidelines as closely as pos‐
                        sible. If the X Window System is not active then an alternative text-
                        mode dialog will be used. There are other flavors that implement PIN
                        entry dialogs using other tool kits.


                        Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:



                        > sudo update-alternatives --config pinentry
                        There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).

                        Selection Path Priority Status
                        ------------------------------------------------------------
                        * 0 /usr/bin/pinentry-gnome3 90 auto mode
                        1 /usr/bin/pinentry-curses 50 manual mode
                        2 /usr/bin/pinentry-gnome3 90 manual mode
                        3 /usr/bin/pinentry-gtk-2 85 manual mode

                        Press <enter> to keep the current choice[*], or type selection number: 3
                        update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode


                        Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.







                        share|improve this answer












                        share|improve this answer



                        share|improve this answer










                        answered May 31 at 5:58









                        mblythe

                        7112




                        7112























                            1














                            If you don't have it, install pinentry-curses with yum or apt-get.



                            Then, run:



                            sudo update-alternatives --config pinentry



                            And select pinentry-curses from the list.






                            share|improve this answer


























                              1














                              If you don't have it, install pinentry-curses with yum or apt-get.



                              Then, run:



                              sudo update-alternatives --config pinentry



                              And select pinentry-curses from the list.






                              share|improve this answer
























                                1












                                1








                                1






                                If you don't have it, install pinentry-curses with yum or apt-get.



                                Then, run:



                                sudo update-alternatives --config pinentry



                                And select pinentry-curses from the list.






                                share|improve this answer












                                If you don't have it, install pinentry-curses with yum or apt-get.



                                Then, run:



                                sudo update-alternatives --config pinentry



                                And select pinentry-curses from the list.







                                share|improve this answer












                                share|improve this answer



                                share|improve this answer










                                answered Aug 11 at 19:07









                                Aiden Woodruff

                                112




                                112























                                    0














                                    I found the "full example" in PvdL's answer a bit confusing, here's what I do:



                                    ssh -X machine
                                    # work hack hack work until I need something from gpg
                                    ssh -x localhost -p$port
                                    gpg2 --decrypt file.gpg
                                    # enter password to pinentry
                                    exit
                                    # now the key is unlocked in gpg-agent, and I can keep decrypting files
                                    # from my X ssh session without being asked for the password





                                    share|improve this answer


























                                      0














                                      I found the "full example" in PvdL's answer a bit confusing, here's what I do:



                                      ssh -X machine
                                      # work hack hack work until I need something from gpg
                                      ssh -x localhost -p$port
                                      gpg2 --decrypt file.gpg
                                      # enter password to pinentry
                                      exit
                                      # now the key is unlocked in gpg-agent, and I can keep decrypting files
                                      # from my X ssh session without being asked for the password





                                      share|improve this answer
























                                        0












                                        0








                                        0






                                        I found the "full example" in PvdL's answer a bit confusing, here's what I do:



                                        ssh -X machine
                                        # work hack hack work until I need something from gpg
                                        ssh -x localhost -p$port
                                        gpg2 --decrypt file.gpg
                                        # enter password to pinentry
                                        exit
                                        # now the key is unlocked in gpg-agent, and I can keep decrypting files
                                        # from my X ssh session without being asked for the password





                                        share|improve this answer












                                        I found the "full example" in PvdL's answer a bit confusing, here's what I do:



                                        ssh -X machine
                                        # work hack hack work until I need something from gpg
                                        ssh -x localhost -p$port
                                        gpg2 --decrypt file.gpg
                                        # enter password to pinentry
                                        exit
                                        # now the key is unlocked in gpg-agent, and I can keep decrypting files
                                        # from my X ssh session without being asked for the password






                                        share|improve this answer












                                        share|improve this answer



                                        share|improve this answer










                                        answered Jan 4 '17 at 11:03









                                        unhammer

                                        15810




                                        15810























                                            0














                                            On a debian box:



                                            sudo apt install pinentry-tty
                                            sudo update-alternatives --config pinentry


                                            (and set it to pinentry-tty)






                                            share|improve this answer


























                                              0














                                              On a debian box:



                                              sudo apt install pinentry-tty
                                              sudo update-alternatives --config pinentry


                                              (and set it to pinentry-tty)






                                              share|improve this answer
























                                                0












                                                0








                                                0






                                                On a debian box:



                                                sudo apt install pinentry-tty
                                                sudo update-alternatives --config pinentry


                                                (and set it to pinentry-tty)






                                                share|improve this answer












                                                On a debian box:



                                                sudo apt install pinentry-tty
                                                sudo update-alternatives --config pinentry


                                                (and set it to pinentry-tty)







                                                share|improve this answer












                                                share|improve this answer



                                                share|improve this answer










                                                answered Dec 5 at 21:34









                                                John Lawrence Aspden

                                                4332719




                                                4332719






























                                                    draft saved

                                                    draft discarded




















































                                                    Thanks for contributing an answer to Super User!


                                                    • Please be sure to answer the question. Provide details and share your research!

                                                    But avoid



                                                    • Asking for help, clarification, or responding to other answers.

                                                    • Making statements based on opinion; back them up with references or personal experience.


                                                    To learn more, see our tips on writing great answers.





                                                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                                                    Please pay close attention to the following guidance:


                                                    • Please be sure to answer the question. Provide details and share your research!

                                                    But avoid



                                                    • Asking for help, clarification, or responding to other answers.

                                                    • Making statements based on opinion; back them up with references or personal experience.


                                                    To learn more, see our tips on writing great answers.




                                                    draft saved


                                                    draft discarded














                                                    StackExchange.ready(
                                                    function () {
                                                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f520980%2fhow-to-force-gpg-to-use-console-mode-pinentry-to-prompt-for-passwords%23new-answer', 'question_page');
                                                    }
                                                    );

                                                    Post as a guest















                                                    Required, but never shown





















































                                                    Required, but never shown














                                                    Required, but never shown












                                                    Required, but never shown







                                                    Required, but never shown

































                                                    Required, but never shown














                                                    Required, but never shown












                                                    Required, but never shown







                                                    Required, but never shown







                                                    Popular posts from this blog

                                                    Сан-Квентин

                                                    8-я гвардейская общевойсковая армия

                                                    Алькесар