Bdtyktl

Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.

I tried unset DISPLAY but it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.

Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.

There is the --textmode command line switch but apparently, it does something else.

What would be the proper and clean way of getting plain-text pin entry for remote sessions?

To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/bin/pinentry-tty

(In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)

Tell the GPG agent to reload configuration:

gpg-connect-agent reloadagent /bye

I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:

gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied

gpg: error building skey array: Permission denied

I then found this which worked for me, so in brief:

pico ~/.gnupg/gpg-agent.conf

# add: allow-loopback-pinentry

gpg-connect-agent reloadagent /bye

gpg2 --pinentry-mode loopback --import private.key

To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.

patrick@patrick-C504:~$ ssh localhost

patrick@localhost's password: 

Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)



 * Documentation:  https://help.ubuntu.com/



Last login: Mon Nov 16 22:48:53 2015 from localhost

patrick@patrick-C504:~$ gpg --gen-key

gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.



Please select what kind of key you want:

   (1) RSA and RSA (default)

   (2) DSA and Elgamal

   (3) DSA (sign only)

   (4) RSA (sign only)

Your selection? 4

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 

Requested keysize is 2048 bits

Please specify how long the key should be valid.

         0 = key does not expire

      <n>  = key expires in n days

      <n>w = key expires in n weeks

      <n>m = key expires in n months

      <n>y = key expires in n years

Key is valid for? (0) 

Key does not expire at all

Is this correct? (y/N) y



You need a user ID to identify your key; the software constructs the user ID

from the Real Name, Comment and Email Address in this form:

    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"



Real name: Foo

Name must be at least 5 characters long

Real name: FooBar

Email address: foorbar@foo.bar

Comment: 

You selected this USER-ID:

    "FooBar <foorbar@foo.bar>"



Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a Passphrase to protect your secret key.



gpg: gpg-agent is not available in this session

Enter passphrase:

I'll copy my answer from over here...

Looking at man pinentry-gnome3, I see this:

   pinentry-gnome3  implements  a PIN entry dialog based on GNOME 3, which

   aims to follow the GNOME Human Interface Guidelines as closely as  pos‐

   sible.   If the X Window System is not active then an alternative text-

   mode dialog will be used.  There are other flavors that  implement  PIN

   entry dialogs using other tool kits.

Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:

> sudo update-alternatives --config pinentry

There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).



  Selection    Path                      Priority   Status

------------------------------------------------------------

* 0            /usr/bin/pinentry-gnome3   90        auto mode

  1            /usr/bin/pinentry-curses   50        manual mode

  2            /usr/bin/pinentry-gnome3   90        manual mode

  3            /usr/bin/pinentry-gtk-2    85        manual mode



Press <enter> to keep the current choice[*], or type selection number: 3

update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode

Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.

If you don't have it, install pinentry-curses with yum or apt-get.

Then, run:

sudo update-alternatives --config pinentry

And select pinentry-curses from the list.

I found the "full example" in PvdL's answer a bit confusing, here's what I do:

ssh -X machine

# work hack hack work until I need something from gpg

ssh -x localhost -p$port

gpg2 --decrypt file.gpg

# enter password to pinentry

exit

# now the key is unlocked in gpg-agent, and I can keep decrypting files

# from my X ssh session without being asked for the password

On a debian box:

sudo apt install pinentry-tty

sudo update-alternatives --config pinentry

(and set it to pinentry-tty)