Xfce Forum

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

I'm trying to use keys from GnuPG (gpg-agent) for SSH/SFTP.

(Used https://opensource.com/article/19/4/gpg-subkeys-ssh.)

For implementing this in Bash, I have in ${HOME}/.bashrc:

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

and in ${HOME}/.gnupg/gpg-agent.conf:

enable-ssh-support

For Bash, via ssh command, it works: it uses keys from GnuPG.

How do I implement it for Thunar's SFTP?

I use Calculate Linux (Gentoo) and XFCE.

eriefisher

Wanderer

From: ON, Canada

Registered: 2008-10-25

Posts: 624

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

This may help.

https://forum.xfce.org/viewtopic.php?id=11815

---

Siduction
Debian Sid
Xfce 4.20 with Wayland/Labwc

ToZ

Administrator

From: Canada

Registered: 2011-06-02

Posts: 11,700

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Hello and welcome.

Thunar works for me out of the box once the keys are set up. On the client, I create my key pair, copy my public key to the server's authorized keys list, and viola. The default gpg-agent is running in Xfce (xfce4-session will start it if gnupg is installed).

---

Mark solved threads as [SOLVED] to make it easier for others to find solutions.
--- How To Ask For Help | FAQ | Developer Wiki  |  Community | Contribute ---

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Who does start `gpg-agent`? It's started and logs to `${HOME}/.xsession-errors`. But where is it started? I see nothing about it in "Sessions & Startup" XFCE's Settings?

ToZ

Administrator

From: Canada

Registered: 2011-06-02

Posts: 11,700

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

It's hard-coded. See: https://git.xfce.org/xfce/xfce4-session … -4.14#n195.

---

Mark solved threads as [SOLVED] to make it easier for others to find solutions.
--- How To Ask For Help | FAQ | Developer Wiki  |  Community | Contribute ---

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

It's hard-coded. See: https://git.xfce.org/xfce/xfce4-session … -4.14#n195.

Ok, thanks! But could it be someone else? Because:

$ xfconf-query -c xfce4-session -p "/startup/ssh-agent/enabled"
false
$ xfconf-query -c xfce4-session -p "/startup/gpg-agent/enabled"
false

but

$ pstree -a | grep gpg
  |-gpg-agent --homedir /home/sasha/.gnupg --use-standard-socket --daemon

(And arguments differ from hardcoded.)

ToZ

Administrator

From: Canada

Registered: 2011-06-02

Posts: 11,700

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Interesting. Investigating further...

$ pstree -a | grep gpg
  |   |-gpg-agent --supervised

$ systemctl --user status gpg-agent.service 
● gpg-agent.service - GnuPG cryptographic agent and passphrase cache
     Loaded: loaded (/usr/lib/systemd/user/gpg-agent.service; static; vendor pr>
     Active: active (running) since Tue 2020-04-21 20:19:02 EDT; 1 day 10h ago
TriggeredBy: ● gpg-agent.socket
             ● gpg-agent-ssh.socket
             ● gpg-agent-extra.socket
             ● gpg-agent-browser.socket
       Docs: man:gpg-agent(1)
   Main PID: 784 (gpg-agent)
     CGroup: /user.slice/user-1000.slice/user@1000.service/gpg-agent.service
             └─784 /usr/bin/gpg-agent --supervised

$ cat /usr/lib/systemd/user/gpg-agent.service 
[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
Requires=gpg-agent.socket

[Service]
ExecStart=/usr/bin/gpg-agent --supervised
ExecReload=/usr/bin/gpgconf --reload gpg-agent

So on my system (arch) it is started by a user-based systemd service installed by the gnupg package. Do you have something similar in gentoo?

---

Mark solved threads as [SOLVED] to make it easier for others to find solutions.
--- How To Ask For Help | FAQ | Developer Wiki  |  Community | Contribute ---

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Hm. I'm an idiot. I saw it via htop via bash. And as I wrote above, I've written down start of gpg-agent in ${HOME}/.bashrc.

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Well, then go to the start.

In bash:

1. I start gpg-agent.

2. ssh host then uses GnuPG keys.

3. I kill Thunar and then start it.

4. It doesn't use GnuPG keys...

Hm...

ToZ

Administrator

From: Canada

Registered: 2011-06-02

Posts: 11,700

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

[*]I start gpg-agent.[/*]

What happens if you don't? Does a version (the systemd service) one start automatically instead? And if so, does it work with thunar?

---

Mark solved threads as [SOLVED] to make it easier for others to find solutions.
--- How To Ask For Help | FAQ | Developer Wiki  |  Community | Contribute ---

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

Before I start gpg-agent:

1. Nobody except XFCE-hardcoded starts gpg-agent on my system.

2. ssh uses GnuPG if and only if gpg-agent is started (no matter, who started it; but I think enable-ssh-support setting is needed).

3. Thunar never use GnuPG keys.

Thanks!

ToZ

Administrator

From: Canada

Registered: 2011-06-02

Posts: 11,700

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

I'm not sure what to say. I downloaded the calculate linux xfce iso and fired it up in a VM.

With no config changes, I created and copied over a key (no passphrase):

$ ssh-keygen -t rsa
$ ssh-copy-id toz@10.0.2.2

...and was able to connect via "ssh toz@10.0.2.2" and via thunar with "sftp://toz@10.0.2.2" with no problem and no passwords required.

Do you get any error messages in ~/.xsession-errors when you try with thunar?

---

Mark solved threads as [SOLVED] to make it easier for others to find solutions.
--- How To Ask For Help | FAQ | Developer Wiki  |  Community | Contribute ---

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

You say about SSH keys. They work for Thunar.

GnuPG keys don't.

I'm willing to write to Thunar's Bugzilla.

eriefisher

Wanderer

From: ON, Canada

Registered: 2008-10-25

Posts: 624

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

As I understand it ssh keys and GPG keys are two different things for two different purposes.

ssh keys provide a "secret handshake" to authorize a connection between you and the server.
Gnupg keys are used to verify an item such as a download or a message or can be used to unlock an encrypted message etc.

I don't know if you can use one in place of the other or if this would even be a good idea.

---

Siduction
Debian Sid
Xfce 4.20 with Wayland/Labwc

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

As I understand it ssh keys and GPG keys are two different things for two different purposes.

No and yes. Keys' purposes are the same. But:

ssh keys provide a "secret handshake" to authorize a connection between you and the server.
Gnupg keys are used to verify an item such as a download or a message or can be used to unlock an encrypted message etc.

I don't know if you can use one in place of the other or if this would even be a good idea.

No. ssh-agent and gpg-agent are just "keyrings" here. They store RSA, DSA, etc. public and private keys, both.

Last edited by kuraga (2020-04-27 08:08:20)

kuraga

Member

From: Moscow

Registered: 2020-04-20

Posts: 9

Re: Using ssh-agent + gpg-agent + XFCE: keys from GnuPG

I've started an issue on XFCE's bugzilla: https://bugzilla.xfce.org/show_bug.cgi?id=16758