gpg-agent purports to function as a drop-in replacement for ssh-agent, allowing one to use a single application for caching of keys and passphrases of both types. (See gpg-agent(1), "--enable-ssh-support" option.) It seems like code supporting smart-card functionality is interfering with the ssh support. Reproducible: Always Steps to Reproduce: 1. Install and configure gnupg and openssh properly. 2. Verify that gnupg and openssh function properly in all respects. 3. Verify that gpg-agent functions properly. 4. Add the "--enable-ssh-support" option. 5. Reboot. 6. Cache ssh key and passphrase with 'ssh-add'. 7. Attempt to connect to an ssh host. Actual Results: Everything works, except upon attempting to connect to an ssh host, gpg-agent emits: "error getting default authentication keyID of card: Not supported" Note that I have USE="-smartcard" and am also using the option "--disable-scdaemon". I don't understand why gpg-agent is apparently failing because it is unable to access a "card", when that functionality is supposed to be disabled. I have also tried rebuilding the application with USE="smartcard" (and --disable-scdaemon). I even tried leaving out the "--disable-scdaemon" option, but that naturally fails. I have also tried placing the options on the command line versus in a gpg-agent.conf file. I have also tried running gpg-agent as root. The outcome is receiving the error, "Permission denied (publickey).", at every ssh-connection attempt (and the "error getting default authentication keyID of card: Not supported") if using the "--log-file" option). Expected Results: gpg-agent should not be attempting to retrieve an authenticationn keyID from a card. The ssh key is already stored properly in gnupg/private-keys-v1.d (encrypted), and the passphrase is cached. Authentication should granted, just as it is when I interactively provide the passphrase for my ssh key. I am presently launching gpg-agent with this code in ~/.xsession: # start gpg-agent if [ -z "$(pidof gpg-agent)" ]; then eval $(gpg-agent --disable-scdaemon --log-file ~/gpg-agent.log) fi I have the following options in ~/.gnupg/gpg-agent.conf: enable-ssh-support write-env-file daemon I have the following related code in ~/.bashrc: inf="${HOME}/.gpg-agent-info" if [ -f $inf ]; then checkpid=$(awk 'BEGIN {FS=":"}; /GPG_AGENT_INFO/ {print $2}' $inf) if [ $(kill -0 ${checkpid}) ]; then export $(xargs < $inf) export GPG_TTY=$(tty) else rm ~/.gpg-agent-info fi fi And here is my emerge --info: Portage 2.1.6.7 (default/linux/x86/2008.0, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.28-gentoo-r1 i686) ================================================================= System uname: Linux-2.6.28-gentoo-r1-i686-Intel-R-_Pentium-R-_4_CPU_1400MHz-with-glibc2.0 Timestamp of tree: Fri, 20 Feb 2009 09:45:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p48-r1 dev-java/java-config: 2.1.7 dev-lang/python: 2.5.4-r2 dev-util/ccache: 2.4-r8 dev-util/cmake: 2.6.2-r1 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.4.3-r1 sys-apps/sandbox: 1.3.8 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.19.1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.28-r1 ACCEPT_KEYWORDS="x86 ~x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -pipe -fforce-addr -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=pentium4 -pipe -fforce-addr -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://ftp.gtlib.gatech.edu/pub/gentoo http://gentoo.osuosl.org/ http://open-systems.ufl.edu/mirrors/gentoo " LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1,--hash-style=gnu" LINGUAS="en_US en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="X alsa berkdb bzip2 cairo caps cdr cli consolekit cracklib crypt dbus dri dvd exif ffmpeg gdbm gif gpm gtk hal iconv java jpeg lcms midi mmx mp3 mudflap ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pcre perl png python readline reflection session spl sse sse2 ssl svg sysfs theora threads tiff truetype unicode vorbis win32codecs x86 xcb xorg xulrunner zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LINGUAS="en_US en" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
perhaps a strace of some failing processes and comparing them to a working processes may indicate a cause. Careful not to disclose a private key too.
I was completely unable to replicate this with gnupg-2.0.15 . gnupg-2.0.10 is no longer even in the tree. Should this perhaps get closed?
I have no objection. I gave up trying to use it for ssh.
Disregard my previous comment. I opened my mouth a little to soon and now I get to insert my foot into it. I will see if I can figure out why this is going on and report back. Sorry for the confusion.
Ok. I think I have all my facts straight now. First thing: error getting default authentication keyID of card: Not supported shows up in my logs regardless of whether I have gpg-agent in a working state or a broken state. I don't believe this was the actual root of the problem. I did, however, have to deviate from the original circumstances in order to make everything play nice. I changed what was your .bashrc to: if [ -f "${HOME}/.gpg-agent-info" ]; then . "${HOME}/.gpg-agent-info" export GPG_AGENT_INFO export SSH_AUTH_SOCK export SSH_AGENT_PID fi I also moved what was originally in .xsession to .kde4/Autostart/01-gpg-agent. Doesn't change anything. Just makes it play nice with kdm etc. Worth noting, it is possible your original problem had to do with not being able to find pinentry or some other older known bug. It also would have been in the logs, just under or just over the smartcard one and would have looked like: can't connect to the PIN entry module: IPC connect call failed End result: I still think this can safely be closed. The current gpg-agent in the tree seems to work fine and the error being produced, although it shows up, appears to be expected and doesn't affect it working.
Thanks for your help. I'll have to give it another try some time. Please feel free to close it.
Going ahead and closing.
