YubiKey-Guide: Best way to trigger prompt for pin?

Thanks to this guide, I am now using my yubikey-based GPG credentials for encryption, signing and ssh. I’ve noticed that inserting the Yubikey and attempting to ssh does not trigger gpg-agent to prompt me for a pin though. Explicitly gpg-based operations like decryption do prompt me, so I have resulted to doing gpg -d dummy.gpg after inserting the card in order to get the pin prompt (which gpg agent then caches for the configured amount of time).

Am I doing something wrong that is preventing ssh requests from triggering a request for my pin? Any pointers to fix that?
Also, is there a more generic way to ping the opengpg card to prompt me for a pin, rather than running a dummy decryption or signing request?

Thanks!

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 17 (4 by maintainers)

Most upvoted comments

Also, is there a more generic way to ping the opengpg card to prompt me for a pin, rather than running a dummy decryption or signing request?

I can at least answer this. Try:

$ gpg-connect-agent 'scd serialno' /bye

to get your card’s serial number. Then:

$ gpg-connect-agent 'scd checkpin <serial>' /bye

putting your card’s serial number instead of <serial>. This should prompt for your card’s PIN if needed. The serial number shouldn’t change, so you can create a shell alias if you like.

ravron on Oct 12, 2021

another option is to add this two lines to a .bash_profile

GPG_TTY=$(tty)
export GPG_TTY

netflash on Jan 9, 2019

SERIAL=$(gpg-connect-agent 'scd serialno' /bye | head -n 1 | cut -f3 -d' ')
gpg-connect-agent "scd checkpin $SERIAL" /bye

hewers on Apr 8, 2022

I had multiple problems with configuring that - I use tmux and TTYs got mixed all the time for some reason.

But @auroraunit217 response got me on the right track, and I fixed my problem by changing pinentry flavour to qt.

Not sure how to do this in vanilla config, In nixos that’s:

services.gpg-agent.pinentryFlavor = "qt";

By the way, a commend that may help y’all with debugging is journalctl -fan100.

msm-code on Apr 20, 2023

In case anyone still needs a solution for this annoying behaviour, it may be the following: Even with export GPG_TTY=$(tty) in your shells startup files, gpg still does not know where to display the pin-entry. But if you invoke echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2>&1 and try again, you will be prompted for your pin like expected.

So if your shell startup looks something like this:

export GNUPGHOME="${HOME}/.gnupg" 
export PINENTRY_USER_DATA="USE_CURSES=1" # not relevant to the problem
export GPG_TTY="$(tty)"

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) # like in the guide
gpgconf --launch gpg-agent # like in the guide

echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2>&1

you should be able to use ssh without any of the workarounds above. This is tested twice under macOS 13.3.1. Let me know if this helped you.

auxiliumknowledge on Apr 10, 2023

@SamMorrowDrums never found a really nice solution to this, every now and then I just don’t get prompted to unlock, particularly on ssh-based tasks. My workaround has been to just make a dummy decryption call, gpg -d somefile.gpg which usually prompts me for a pin whenever the card is locked, and then I can repeat my ssh-based command again.

On rare cases I’m told to ‘insert key with id XXX’ and I have to remove and re-insert the yubikey, I believe this is due to switching between yubikey GPG functions vs the other built-in functions (like yubico authenticator app for those apps that still don’t support U2F)

cboettig on Apr 26, 2021

# add alias for ssh to update the tty
alias ssh="gpg-connect-agent updatestartuptty /bye >/dev/null; ssh"

add this to your .bashrc or something else that get’s loaded on login (mac/linux), windows would be different.

Just makes sure everything is connected and happy to make it more consistent.

moonmeister on Jan 8, 2019