Xfce Forum

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

I'm trying to use keys from GnuPG (gpg-agent) for SSH/SFTP.

(Used https://opensource.com/article/19/4/gpg-subkeys-ssh.)

For implementing this in Bash, I have in ${HOME}/.bashrc:

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

and in ${HOME}/.gnupg/gpg-agent.conf:

enable-ssh-support

For Bash, via ssh command, it works: it uses keys from GnuPG.

How do I implement it for Thunar's SFTP?

I use Calculate Linux (Gentoo) and XFCE.

eriefisher

Wanderer

From: ON, Canada

Registered: 2008-10-25

Posts: 934

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

This may help.

https://forum.xfce.org/viewtopic.php?id=11815

---

But it's all right, when you're all in pain and you feel the rain come down
It's alright, when you find your way, then you see it disappear
It's alright....
Chris Cornell

ToZ

Administrator

From: Canada

Registered: 2011-06-02

Posts: 12,537

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Hello and welcome.

Thunar works for me out of the box once the keys are set up. On the client, I create my key pair, copy my public key to the server's authorized keys list, and viola. The default gpg-agent is running in Xfce (xfce4-session will start it if gnupg is installed).

---

Mark solved threads as [SOLVED] to make it easier for others to find solutions.
--- How To Ask For Help | FAQ | Developer Wiki  |  Community | Contribute ---

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Who does start `gpg-agent`? It's started and logs to `${HOME}/.xsession-errors`. But where is it started? I see nothing about it in "Sessions & Startup" XFCE's Settings?

ToZ

Administrator

From: Canada

Registered: 2011-06-02

Posts: 12,537

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

It's hard-coded. See: https://git.xfce.org/xfce/xfce4-session … -4.14#n195.

---

Mark solved threads as [SOLVED] to make it easier for others to find solutions.
--- How To Ask For Help | FAQ | Developer Wiki  |  Community | Contribute ---

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

It's hard-coded. See: https://git.xfce.org/xfce/xfce4-session … -4.14#n195.

Ok, thanks! But could it be someone else? Because:

$ xfconf-query -c xfce4-session -p "/startup/ssh-agent/enabled"
false
$ xfconf-query -c xfce4-session -p "/startup/gpg-agent/enabled"
false

but

$ pstree -a | grep gpg
  |-gpg-agent --homedir /home/sasha/.gnupg --use-standard-socket --daemon

(And arguments differ from hardcoded.)

ToZ

Administrator

From: Canada

Registered: 2011-06-02

Posts: 12,537

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Interesting. Investigating further...

$ pstree -a | grep gpg
  |   |-gpg-agent --supervised

$ systemctl --user status gpg-agent.service 
● gpg-agent.service - GnuPG cryptographic agent and passphrase cache
     Loaded: loaded (/usr/lib/systemd/user/gpg-agent.service; static; vendor pr>
     Active: active (running) since Tue 2020-04-21 20:19:02 EDT; 1 day 10h ago
TriggeredBy: ● gpg-agent.socket
             ● gpg-agent-ssh.socket
             ● gpg-agent-extra.socket
             ● gpg-agent-browser.socket
       Docs: man:gpg-agent(1)
   Main PID: 784 (gpg-agent)
     CGroup: /user.slice/user-1000.slice/user@1000.service/gpg-agent.service
             └─784 /usr/bin/gpg-agent --supervised

$ cat /usr/lib/systemd/user/gpg-agent.service 
[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
Requires=gpg-agent.socket

[Service]
ExecStart=/usr/bin/gpg-agent --supervised
ExecReload=/usr/bin/gpgconf --reload gpg-agent

So on my system (arch) it is started by a user-based systemd service installed by the gnupg package. Do you have something similar in gentoo?

---

Mark solved threads as [SOLVED] to make it easier for others to find solutions.
--- How To Ask For Help | FAQ | Developer Wiki  |  Community | Contribute ---

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Hm. I'm an idiot. I saw it via htop via bash. And as I wrote above, I've written down start of gpg-agent in ${HOME}/.bashrc.

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Well, then go to the start.

In bash:

1. I start gpg-agent.

2. ssh host then uses GnuPG keys.

3. I kill Thunar and then start it.

4. It doesn't use GnuPG keys...

Hm...

ToZ

Administrator

From: Canada

Registered: 2011-06-02

Posts: 12,537

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

[*]I start gpg-agent.[/*]

What happens if you don't? Does a version (the systemd service) one start automatically instead? And if so, does it work with thunar?

---

Mark solved threads as [SOLVED] to make it easier for others to find solutions.
--- How To Ask For Help | FAQ | Developer Wiki  |  Community | Contribute ---

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Before I start gpg-agent:

1. Nobody except XFCE-hardcoded starts gpg-agent on my system.

2. ssh uses GnuPG if and only if gpg-agent is started (no matter, who started it; but I think enable-ssh-support setting is needed).

3. Thunar never use GnuPG keys.

Thanks!

ToZ

Administrator

From: Canada

Registered: 2011-06-02

Posts: 12,537

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

I'm not sure what to say. I downloaded the calculate linux xfce iso and fired it up in a VM.

With no config changes, I created and copied over a key (no passphrase):

$ ssh-keygen -t rsa
$ ssh-copy-id toz@10.0.2.2

...and was able to connect via "ssh toz@10.0.2.2" and via thunar with "sftp://toz@10.0.2.2" with no problem and no passwords required.

Do you get any error messages in ~/.xsession-errors when you try with thunar?

---

Mark solved threads as [SOLVED] to make it easier for others to find solutions.
--- How To Ask For Help | FAQ | Developer Wiki  |  Community | Contribute ---

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

You say about SSH keys. They work for Thunar.

GnuPG keys don't.

I'm willing to write to Thunar's Bugzilla.

eriefisher

Wanderer

From: ON, Canada

Registered: 2008-10-25

Posts: 934

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

As I understand it ssh keys and GPG keys are two different things for two different purposes.

ssh keys provide a "secret handshake" to authorize a connection between you and the server.
Gnupg keys are used to verify an item such as a download or a message or can be used to unlock an encrypted message etc.

I don't know if you can use one in place of the other or if this would even be a good idea.

---

But it's all right, when you're all in pain and you feel the rain come down
It's alright, when you find your way, then you see it disappear
It's alright....
Chris Cornell

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

As I understand it ssh keys and GPG keys are two different things for two different purposes.

No and yes. Keys' purposes are the same. But:

ssh keys provide a "secret handshake" to authorize a connection between you and the server.
Gnupg keys are used to verify an item such as a download or a message or can be used to unlock an encrypted message etc.

I don't know if you can use one in place of the other or if this would even be a good idea.

No. ssh-agent and gpg-agent are just "keyrings" here. They store RSA, DSA, etc. public and private keys, both.

Last edited by kuraga (2020-04-27 08:08:20)

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

I've started an issue on XFCE's bugzilla: https://bugzilla.xfce.org/show_bug.cgi?id=16758