Unable to use GPG Agent

gpg_tty
invalid

(John Dyer) #1

I am unable to connect to a host using my GPG Agent. I have tried setting IdentityAgent to with SSH_AUTH_SOCK and also the the string /Users/johndye/.gnupg/S.gpg-agent.ssh but it doesn't appear to help either

logs

    \

08:33:37 Connecting…
08:33:37 OpenSSH_7.5p1, LibreSSL 2.5.5
08:33:37 debug1: Reading configuration data /Users/johndye/.ssh/config
08:33:37 debug1: /Users/johndye/.ssh/config line 1: Applying options for *
08:33:37 debug1: /Users/johndye/.ssh/config line 87: Applying options for *-achmzxxxxxxxx
08:33:37 debug1: Reading configuration data /etc/ssh/ssh_config
08:33:37 debug1: /etc/ssh/ssh_config line 3: Applying options for *
08:33:37 debug1: Setting implicit ProxyCommand from ProxyJump: ssh -vvv -W '[%h]:%p'     bastion-util.xxxxxxxxxx
08:33:37 Control socket connect(/Users/johndye/.ssh/master@bee866c3c2ba2f7129370ef47cdf84a59d432b6c:22):     Connection refused
08:33:37 debug1: Executing proxy xpc
08:33:37 debug1: identity file /Users/johndye/.ssh/id_rsa type 1
08:33:37 Jumping…
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_rsa-cert type -1
08:33:37 debug1: identity file /Users/johndye/.ssh/id_dsa type 2
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_dsa-cert type -1
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_ecdsa type -1
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_ecdsa-cert type -1
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_ed25519 type -1
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_ed25519-cert type -1
08:33:37 debug1: Enabling compatibility mode for protocol 2.0
08:33:37 debug1: Local version string SSH-2.0-OpenSSH_7.5
08:33:37 OpenSSH_7.5p1, LibreSSL 2.5.5
08:33:37 debug1: Reading configuration data /Users/johndye/.ssh/config
08:33:37 debug1: /Users/johndye/.ssh/config line 1: Applying options for *
08:33:37 debug1: /Users/johndye/.ssh/config line 87: Skipping Host block because of negated match for     bastion-util.xxxxxxxxxx
08:33:37 debug1: Reading configuration data /etc/ssh/ssh_config
08:33:37 debug1: /etc/ssh/ssh_config line 3: Applying options for *
08:33:37 debug1: auto-mux: Trying existing master
08:33:37 debug1: Control socket "/Users/johndye/.ssh/master@3fbdd1f989de7cf844a4092052c87f087654959a:22"     does not exist
08:33:37 debug2: resolving "bastion-util.xxxxxxxxxx" port 22
08:33:37 debug2: ssh_connect_direct: needpriv 0
08:33:37 debug1: Connecting to bastion-util.xxxxxxxxxx [xxx.xxx.xx.xxx] port 22.
08:33:37 debug1: Connection established.
08:33:37 debug1: identity file /Users/johndye/.ssh/id_rsa type 1
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_rsa-cert type -1
08:33:37 debug1: identity file /Users/johndye/.ssh/id_dsa type 2
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_dsa-cert type -1
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_ecdsa type -1
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_ecdsa-cert type -1
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_ed25519 type -1
08:33:37 debug1: key_load_public: No such file or directory
08:33:37 debug1: identity file /Users/johndye/.ssh/id_ed25519-cert type -1
08:33:37 debug1: Enabling compatibility mode for protocol 2.0
08:33:37 debug1: Local version string SSH-2.0-OpenSSH_7.5
08:33:37 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
08:33:37 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
08:33:37 debug2: fd 5 setting O_NONBLOCK
08:33:37 debug1: Authenticating to bastion-util.xxxxxxxxxx:22 as 'johndye'
08:33:37 debug3: hostkeys_foreach: reading file "/Users/johndye/.ssh/known_hosts"
08:33:37 debug3: record_hostkey: found key type RSA in file /Users/johndye/.ssh/known_hosts:2443
08:33:37 debug3: load_hostkeys: loaded 1 keys from bastion-util.xxxxxxxxxx
08:33:37 debug3: hostkeys_foreach: reading file "/Users/johndye/.ssh/known_hosts2"
08:33:37 debug3: order_hostkeyalgs: prefer hostkeyalgs:     ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
08:33:37 debug3: send packet: type 20
08:33:37 debug1: SSH2_MSG_KEXINIT sent
08:33:37 debug3: receive packet: type 20
08:33:37 debug1: SSH2_MSG_KEXINIT received
08:33:37 debug2: local client KEXINIT proposal
08:33:37 debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2    -nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellm    an-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-grou    p14-sha256,diffie-hellman-group14-sha1,ext-info-c
08:33:37 debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-s    ha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@open    ssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp    384,ecdsa-sha2-nistp521,ssh-ed25519
08:33:37 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@ope    nssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
08:33:37 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@ope    nssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
08:33:37 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,h    mac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-25    6,hmac-sha2-512,hmac-sha1
08:33:37 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,h    mac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-25    6,hmac-sha2-512,hmac-sha1
08:33:37 debug2: compression ctos: none,zlib@openssh.com,zlib
08:33:37 debug2: compression stoc: none,zlib@openssh.com,zlib
08:33:37 debug2: languages ctos:
08:33:37 debug2: languages stoc:
08:33:37 debug2: first_kex_follows 0
08:33:37 debug2: reserved 0
08:33:37 debug2: peer server KEXINIT proposal
08:33:37 debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,dif    fie-hellman-group14-sha1,diffie-hellman-group1-sha1
08:33:37 debug2: host key algorithms: ssh-rsa,ssh-dss
08:33:37 debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr
08:33:37 debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr
08:33:37 debug2: MACs ctos: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd16    0,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
08:33:37 debug2: MACs stoc: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd16    0,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
08:33:37 debug2: compression ctos: none,zlib@openssh.com
08:33:37 debug2: compression stoc: none,zlib@openssh.com
08:33:37 debug2: languages ctos:
08:33:37 debug2: languages stoc:
08:33:37 debug2: first_kex_follows 0
08:33:37 debug2: reserved 0
08:33:37 debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
08:33:37 debug1: kex: host key algorithm: ssh-rsa
08:33:37 debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
08:33:37 debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
08:33:37 debug3: send packet: type 34
08:33:37 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
08:33:37 debug3: receive packet: type 31
08:33:37 debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
08:33:37 debug2: bits set: 1501/3072
08:33:37 debug3: send packet: type 32
08:33:37 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
08:33:38 debug3: receive packet: type 33
08:33:38 debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
08:33:38 debug1: Server host key: ssh-rsa SHA256:J5bE4OXwKzPd0g1exfLl7O0Gxs8E7pBdHO6vriMqBsU
08:33:38 debug3: hostkeys_foreach: reading file "/Users/johndye/.ssh/known_hosts"
08:33:38 debug3: record_hostkey: found key type RSA in file /Users/johndye/.ssh/known_hosts:2443
08:33:38 debug3: load_hostkeys: loaded 1 keys from bastion-util.xxxxxxxxxx
08:33:38 debug3: hostkeys_foreach: reading file "/Users/johndye/.ssh/known_hosts2"
08:33:38 debug3: hostkeys_foreach: reading file "/Users/johndye/.ssh/known_hosts"
08:33:38 debug3: record_hostkey: found key type RSA in file /Users/johndye/.ssh/known_hosts:2371
08:33:38 debug3: load_hostkeys: loaded 1 keys from xxx.xxx.xx.xxx
08:33:38 debug3: hostkeys_foreach: reading file "/Users/johndye/.ssh/known_hosts2"
08:33:38 debug1: Host 'bastion-util.xxxxxxxxxx' is known and matches the RSA host key.
08:33:38 debug1: Found key in /Users/johndye/.ssh/known_hosts:2443
08:33:38 debug2: bits set: 1577/3072
08:33:38 debug3: send packet: type 21
08:33:38 debug2: set_newkeys: mode 1
08:33:38 debug1: rekey after 4294967296 blocks
08:33:38 debug1: SSH2_MSG_NEWKEYS sent
08:33:38 debug1: expecting SSH2_MSG_NEWKEYS
08:33:38 debug3: receive packet: type 21
08:33:38 debug1: SSH2_MSG_NEWKEYS received
08:33:38 debug2: set_newkeys: mode 0
08:33:38 debug1: rekey after 4294967296 blocks
08:33:38 debug2: key: /Users/johndye/.ssh/id_rsa (0x7fa26ac023f0)
08:33:38 debug1: Skipping ssh-dss key /Users/johndye/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes
08:33:38 debug2: key: /Users/johndye/.ssh/id_ecdsa (0x0)
08:33:38 debug2: key: /Users/johndye/.ssh/id_ed25519 (0x0)
08:33:38 debug3: send packet: type 5
08:33:38 debug3: receive packet: type 6
08:33:38 debug2: service_accept: ssh-userauth
08:33:38 debug1: SSH2_MSG_SERVICE_ACCEPT received
08:33:38 debug3: send packet: type 50
08:33:38 debug3: receive packet: type 53
08:33:38 debug3: input_userauth_banner
08:33:38 debug3: receive packet: type 51
08:33:38 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
08:33:38 debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
08:33:38 debug3: preferred publickey,keyboard-interactive,password
08:33:38 debug3: authmethod_lookup publickey
08:33:38 debug3: remaining preferred: keyboard-interactive,password
08:33:38 debug3: authmethod_is_enabled publickey
08:33:38 debug1: Next authentication method: publickey
08:33:38 debug1: Offering RSA public key: /Users/johndye/.ssh/id_rsa
08:33:38 debug3: send_pubkey_test
08:33:38 debug3: send packet: type 50
08:33:38 debug2: we sent a publickey packet, wait for reply
08:33:38 debug3: receive packet: type 51
08:33:38 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
08:33:38 debug1: Trying private key: /Users/johndye/.ssh/id_ecdsa
08:33:38 debug3: no such identity: /Users/johndye/.ssh/id_ecdsa: No such file or directory
08:33:38 debug1: Trying private key: /Users/johndye/.ssh/id_ed25519
08:33:38 debug3: no such identity: /Users/johndye/.ssh/id_ed25519: No such file or directory
08:33:38 debug2: we did not send a packet, disable method
08:33:38 ssh_exchange_identification: Connection closed by remote host
08:33:38 Abnormal Disconnect

(Yang.Y) #2

Could you please paste the “Equivalent Command” to Terminal.app and see what happens next?


(John Dyer) #3

It works as expected

ssh -T -N -4 -A -J bastion-util-achm.xxxx.com -vvv -L 127.0.0.1:8086:influxdbproxy-metricsachm-457-achm-admin.xxxx.com:8086 -o ServerAliveInterval=15 -o IdentityAgent=/Users/johndye/.gnupg/S.gpg-agent.ssh -o ControlMaster=no -o ExitOnForwardFailure=no -o TCPKeepAlive=yes johndye@influxdbproxy-metricsachm-457-achm-admin.xxxx.com

ssh-failure.txt (22.8 KB)


(Yang.Y) #4

Thanks a lot for the log file. By comparing the two log files, it seemed the gpg key was failed to load from agent ~/.gnupg/S.gpg-agent.ssh:

debug2: key: cardno:000608622894 (0x7f87d2f16300), agent

Are you using YubiKey with GPG and SSH? Does your gpg key require a passphrase? What’s the value of GPG_TTY environment variable in your .bashrc or .profile file?


(John Dyer) #5

Yes, I a using it with a Yubikey. The key does have require a pin

Here is the value of GPG_TTY

 ❯ echo $GPG_TTY                                                                                                                                                                                                                                                       [09:34:05]
/dev/ttys003

(Yang.Y) #6

OK, I think that is the problem: YubiKey relies on GPG_TTY for the pin, but Core Tunnel is GUI app, has no tty allocated.

I’ll investigate this problem and try to find a solution.


(John Dyer) #7

Any chance you’ve had some time to look into this ?


(Yang.Y) #8

We’re working on an update release, I’ll review this again after that.


(John Dyer) #9

Thanks, please let me know what you find


(John Dyer) #10

Hey, just wanted to check in here… Hate to nag but I did purchase the app and at this point I cant really use it in its current form, which of course is disappointing


(Yang.Y) #11

I know this is urgent, but it’s really hard to solve than what I thought. Let me make an explanation:

  1. For GPG Agent, GPG_TTY environment variable must be set to GPG_TTY=`tty`
  2. What matters is, there is no damn tty device in GUI applications

On macOS there is a GUI pinentry tool, and someone reported that it can solve the problem, could you please give that a try?


(Yang.Y) #12

Forgot to mention, please use Homebrew to install pinentry-mac:

brew install gnupg gpg-agent pinentry-mac

(John Dyer) #13

So I do use the GUI pin entry program, this is what I am prompted for when I do a typical ssh from iTerm. How would I get your app to do the same?


(Yang.Y) #14

I just purchased a YubiKey 4 on US Amazon, and will try to figure out why Core Tunnel is not working with YubiKey. Amazon shows the device will be delivered to me on Dec 18, please wait a while.

And if you get a chance, please do some tests by following this article:

Also take a look at:

Enable enable-ssh-support option is the key of the article, and some people reported that add following line to gpg-agent.conf will make gpg-agent working with graphical session:

display :0

(John Dyer) #15

I’ve tried most of these, I also really appreciate you ordering one to try and get this sorted !


(Yang.Y) #16

John, I’ve set up YubiKey, and I confirm it works with Core Tunnel and pinentry-mac flawlessly. Could you please paste your ~/.gnupg/gpg-agent.conf file content? And here is my:

enable-ssh-support                                                                                 
pinentry-program /usr/local/bin/pinentry-mac                                                       
default-cache-ttl 60                                                                               
max-cache-ttl 120 

(Yang.Y) #17

Since I've confirmed that both YubiKey and GPG agent can work with Core Tunnel without issue, I'm going to close this bug report. Please file another report if you still experience the problem, thanks.