gpg-agent forwarding: inappropriate ioctl for device

Question

I'm trying to setup gpg-agent forwarding in order to use pass (https://www.passwordstore.org) via ssh.

gpg version 2.2.9 both on local and remote hosts, installed by instructions: https://gist.github.com/vt0r/a2f8c0bcb1400131ff51

On local machine

$HOME/.gnupg/gpg-agent.conf

extra-socket /home/mickey/.gnupg/S.gpg-agent.remote

Reload agent

echo RELOADAGENT | gpg-connect-agent

Export public key

gpg --export -a mickey > mickey.gpg

Sign test data

echo "test" | gpg2 --encrypt -r mickey > out.gpg

Send public key and signed data

scp *.gpg REMOTE_HOST:

Create ssh session with reverse forwarding

ssh -R /run/user/1002/gnupg/S.gpg-agent:/home/mickey/.gnupg/S.gpg-agent.remote -o "StreamLocalBindUnlink=yes" REMOTE_HOST

On remote machine

Import public key

gpg --import mickey.gpg

Trust this key ultimately

gpg --edit-key mickey

trust 5 quit

Try to decrypt

gpg --decrypt -v out.gpg

Output

gpg: public key is FED6243A3325C554
gpg: connection to agent is in restricted mode
gpg: using subkey FED6243A3325C554 instead of primary key 9E2ED69A02554504
gpg: using subkey FED6243A3325C554 instead of primary key 9E2ED69A02554504
gpg: encrypted with 2048-bit RSA key, ID FED6243A3325C554, created 2018-07-23
      "mickey"
gpg: public key decryption failed: Inappropriate ioctl for device
gpg: decryption failed: No secret key

So, agent socket forwarding is working, seems there are some problems with pinentry program. Could not find anything that worked for me in google.

UPD

Tried to add pinentry-program /usr/bin/pinentry-tty to gpg-agent.conf, new error:

gpg: public key decryption failed: Invalid IPC response
gpg: decryption failed: No secret key

score 123 · Accepted Answer · answered Mar 06 '19 at 21:48

123

It happens when GPG is confused where to read input from. Simply configuring it to look for input from tty (the terminal connected to standard input) fixes it:

export GPG_TTY=$(tty)

answered Mar 06 '19 at 21:48

user787267

2,550
1
23
32

I used just `ssh -X` and it worked. Thanks for the hint! – Yaroslav Nikitenko Oct 16 '19 at 14:36
fishshell: `set -x GPG_TTY (tty) && ` – Highmastdon Dec 20 '21 at 13:49
python: os.environ["GPG_TTY"] = os.ttyname(sys.stdin.fileno()) – pavol.kutaj Jan 31 '23 at 04:50

score 41 · Answer 2 · answered Dec 04 '19 at 06:20

41

This method does not work when you are inside an LXC container. Instead, add this to ~/.gnupg/gpg.conf:

use-agent 
pinentry-mode loopback

Then add this to ~/.gnupg/gpg-agent.conf

allow-loopback-pinentry

Then restart the agent with echo RELOADAGENT | gpg-connect-agent.

(source)

answered Dec 04 '19 at 06:20

Gaia

2,872
1
41
59

Can you specify on where are the files you edited? Are the in the LXC container or in the machine you SSH from? – oz123 Nov 03 '20 at 12:30
@Oz123 I am sorry I do not recall. Try the target (LXC) first. Pls lmk so I can update the answer accordingly. – Gaia Nov 04 '20 at 21:35
1

If this error is happening because you're calling `gpg` from a daemon, it'll be necessary to add `no-tty` and `batch` to `gpg.conf`. – Throw Away Account Apr 16 '21 at 18:56

score 4 · Answer 3 · answered Jul 29 '22 at 18:03

4

When running gpg from a script, the --batch argument must be provided.

answered Jul 29 '22 at 18:03

fuzzyTew

3,511
29
24

gpg-agent forwarding: inappropriate ioctl for device

On local machine

On remote machine

UPD

3 Answers3