Page MenuHome GnuPG

gpg-agent + smartcard not asking for PIN with PUTTY
Closed, ResolvedPublic

Description

I'm using a yubikey 4 as a smartcard to log on remote SSH with PUTTY,
under Windows.
Recent version of gpg4win/gpg-agent are compatible with putty and can
talk to putty. I tried but the problem is, when I use gpg-agent, it
does not ask for a PIN (no PIN entry window) and then it fails in
putty.

This guy seems to have the same kind of problem :
http://lists.wald.intevation.org/pipermail/gpg4win-users-en/2015-October/001263.html

I'm using Windows 7 64 bits with GnuPG 2.0.29 and Gpg4win 2.3.0. Using putty 0.67.

I ran scdaemon and gpg-agent with logging in "guru" mode, and I can
post the results here if it helps.
In the log, the card is read correctly, putty query is detected by
gpg-agent, only the PIN entry is not asked/triggered...

Details

Version
2.0.29

Event Timeline

timtim added projects: gnupg, Bug Report.
timtim added a subscriber: timtim.

Did you start gpg-agent before putty or pageant?

Yes gpg-agent is started before, I can see it in the process list (and even the scdaemon process).

In fact, pageant can't be started at the same time as gpg-agent (I suppose it share the same mutex because it
says "pageant is already running" when I try to start pageant while gpg-agent is already running).

For history purpose, and trying to maximize information, I have been asked to post some part of the discussion I have
on the mailing list about this problem. Here it is :

I tried older version (of gpg4win) (which, at the time, worked for people with the
same setup as myself), but I can try new version too of course.

That is helpful, because development right now is concentrating more
on Gpg4win 3 with the new GnuPG 2.1 (to become 2.2) and this is where
gpg-agent and pinentry is handled slightly differently. So making sure that
it works with the new version is better for the future.

Ok, I installed gpg4win 3.0.0 BETA 128.
The problem stay the same, no pin is asked.

In the mean time, I tried this tool : http://smartcard-auth.de/ssh-en.html
It replace the pageant.exe that ships with putty. And it works. When I
log on the server with putty, I got asked for the PIN. So I think this
is not a problem with the smartcard or with keys. It seems that it's
only that gpg-agent doesn't trigger the pinentry.

I tried witht gpg-agent on another computer (fresh install) running Windows 7 x64, and
with another smartcard, same problem : no pinentry asked.

I have good news : gpg 2.1 rocks !
Problem solved and here is the solution :

As Sijie said, the "smartcard compatible" pageant was loading the SIG key and
the AUTH key.

Unfortunately, under gpg 2.0.x, when you export a public key and use gpg2ssh,
the output is the ssh key for the SIG key (and not the auth).

So when using gpg-agent, it was waiting for putty to request the AUTH key and
not the SIG key (as it should !). The "smartcard enabled" pageant was sending
the SIG key so it was working with it.

Now for the good part : with gpg 2.1, we can now natively use --export-ssh-key,
and this command export the AUTH key, so in the end, it works :)

Thank you everyone for the help, and I hope it can helps other people too !

Can we close this bug please ?

Regards

bernhard claimed this task.
bernhard added a project: Not A Bug.

Thanks for testing 2.1 and for reporting the results.
Good to know that it works now.