Ubuntu
gnupg2 package

gpg-agent upstart script doesn't set SSH environment variables

Bug #1407513 reported by Mark Adams on 2015-01-04
26
This bug affects 7 people
Affects Status Importance Assigned to Milestone
gnupg2 (Ubuntu)
Fix Released
Undecided
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Background:
GPG supports authentication keys that can be used in place of normal SSH keys with little effort on the part of the user by using the "enable-ssh-support" option in ~/.gnupg/gpg-agent.conf. If the "enable-ssh-support" option is present, the gpg-agent will emulate the ssh-agent application and export SSH_AUTH_SOCK and SSH_AGENT_PID environment variables so that SSH-related applications will know how to contact the gpg-agent to request operations against the user's SSH keys. The primary use-case for this is for users who have GPG authentication keys stored on a GPG smartcard and wish to use those keys for SSH purposes.

Prerequisites:
Typically, gpg-agent has SSH_AUTH_SOCK and SSH_AGENT_PID overwritten by either gnome-keyring or ssh-agent upstart jobs if they are enabled so for the use case of using GPG authentication keys in place of normal SSH keys, we are assuming that both of these services are being bypassed by setting their ~/.config/upstart/{job}.override files to "manual" leaving gpg-agent as the only remaining process that will try and set the environment variables.

Expected:
When gpg-agent.conf contains "enable-ssh-support", the SSH_AUTH_SOCK and SSH_AGENT_PID environment variables should be set globally by the debian/gpg-agent.user-session.upstart script

(Note: This should only happen if "use-agent" is present in the gpg.conf as well. Otherwise, the gpg-agent won't start and if the gpg-agent is not started, all of this is pointless)

Actual:
SSH_AUTH_SOCK and SSH_AGENT_PID are not set when the gpg-agent upstart job is started and SSH-related applications cannot access keys that are in GPG. GPG_AGENT_INFO is set properly by the upstart job.

Additional info:

lsb_release -rd:

Description: Ubuntu 14.10
Release: 14.10

apt-cache policy gnupg2:

  Installed: 2.0.24-1ubuntu2
  Candidate: 2.0.24-1ubuntu2
  Version table:
 *** 2.0.24-1ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ utopic/main amd64 Packages
        100 /var/lib/dpkg/status

Related branches

lp:~kramsmada/ubuntu/vivid/gnupg2/1407513-gpg-agent-set-ssh-env-vars
Marc Deslauriers: Approve on 2015-04-28
Diff: 44 lines (+22/-0)
2 files modified
debian/changelog (+8/-0)
debian/gpg-agent.user-session.upstart (+14/-0)
lp:ubuntu/wily/gnupg2
Mark Adams (kramsmada) on 2015-01-04
affects: gnupg (Ubuntu) → gnupg2 (Ubuntu)
Mark Adams (kramsmada) wrote :

I've added a fix for this issue and requested review. (I marked ~mdeslaur as reviewer, but anyone who wants can comment).

I am a new contributor so I definitely welcome your feedback.

Mark Adams (kramsmada) wrote :

Patch ready for review: https://code.launchpad.net/~kramsmada/ubuntu/vivid/gnupg2/1407513-gpg-agent-set-ssh-env-vars/+merge/245538

Changed in gnupg2 (Ubuntu):
status: New → Fix Committed
Dimitri John Ledkov (xnox) on 2015-02-23
Changed in gnupg2 (Ubuntu):
status: Fix Committed → Confirmed
Michael Bienia (geser) wrote :

See also bug #1257706 which this bug is a duplicate of and should be merged with (I'm not sure yet in which direction to merge these bugs).

Iain Lane (laney) wrote :

Uploaded, thanks!

Changed in gnupg2 (Ubuntu):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnupg2 - 2.0.26-6ubuntu2

---------------
gnupg2 (2.0.26-6ubuntu2) wily; urgency=medium

  [ Mark Adams ]
  * Updated debian/gpg-agent.user-session.upstart so that global environment
    variables SSH_AUTH_SOCK and SSH_AGENT_PID are set if gpg-agent is running
    with SSH support. LP: #1407513

  [ Iain Lane ]
  * Fix whitespace in user session job.

 -- Mark Adams <email address hidden> Tue, 05 May 2015 13:09:36 +0100

Changed in gnupg2 (Ubuntu):
status: Fix Committed → Fix Released
Dimitri John Ledkov (xnox) wrote :

This looks very cool, I'll test it more.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers