Answers:
要永久更改密码,请将以下内容附加到您的~/.gnupg/gpg-agent.conf
:
pinentry-program /usr/bin/pinentry-tty
(在缺少pinentry-tty的旧版本中,将pinentry-curses用于“完整终端”对话框窗口。)
告诉GPG代理重新加载配置:
gpg-connect-agent reloadagent /bye
gpg-agent
应该自己检测是否存在$DISPLAY
并选择适当的松锁...
DISPLAY
定义并不一定意味着我可以或想要使用它,例如,通过SSH连接时。
ls /usr/bin | grep pinentry
。我看到pinentry
,pinentry-curses
,pinentry-emacs
,pinentry-gnome3
,pinentry-gtk2
,pinentry-qt
和pinentry-tty
。如果您没有$DISPLAY
问题,可以通过这种方法选择更适合自己的方法。
当我尝试在没有密码的系统帐户和通过ssh的用户帐户上使用gpg2(2.1.11)生成/安装私钥时,在Ubuntu 16.04.3上遇到了这个问题。没有任何效果:
gpg:密钥FE17AE6D / FE17AE6D:发送至代理的错误:权限被拒绝
gpg:构建密钥数组的错误:权限被拒绝
然后,我发现了这个对我有用的方法,因此简单来说:
pico ~/.gnupg/gpg-agent.conf
# add: allow-loopback-pinentry
gpg-connect-agent reloadagent /bye
gpg2 --pinentry-mode loopback --import private.key
在Debian盒子上:
sudo apt install pinentry-tty
sudo update-alternatives --config pinentry
(并将其设置为pinentry-tty)
如果没有,请pinentry-curses
与yum或apt-get一起安装。
然后,运行:
sudo update-alternatives --config pinentry
然后从列表中选择pinentry-curses。
我将从这里复制答案...
看着man pinentry-gnome3
,我看到了:
pinentry-gnome3 implements a PIN entry dialog based on GNOME 3, which
aims to follow the GNOME Human Interface Guidelines as closely as pos‐
sible. If the X Window System is not active then an alternative text-
mode dialog will be used. There are other flavors that implement PIN
entry dialogs using other tool kits.
不幸的是,这种文本模式后备对我不起作用。看来其他人也有同样的 问题。但是,此注释促使我尝试使用其他GUI引脚输入程序:pinentry-gtk2
。您可以像这样切换:
> sudo update-alternatives --config pinentry
There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/pinentry-gnome3 90 auto mode
1 /usr/bin/pinentry-curses 50 manual mode
2 /usr/bin/pinentry-gnome3 90 manual mode
3 /usr/bin/pinentry-gtk-2 85 manual mode
Press <enter> to keep the current choice[*], or type selection number: 3
update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode
切换后,它对我来说非常理想!在桌面上的终端中,它将使用GUI密码输入,但是当我在计算机中使用ssh时,它将使用文本模式密码输入。
为了防止出现pinentry弹出窗口,您可以ssh localhost
。(可选)强制禁用X11,-x Disables X11 forwarding.
请参见下面的完整示例。
patrick@patrick-C504:~$ ssh localhost
patrick@localhost's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Mon Nov 16 22:48:53 2015 from localhost
patrick@patrick-C504:~$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Foo
Name must be at least 5 characters long
Real name: FooBar
Email address: foorbar@foo.bar
Comment:
You selected this USER-ID:
"FooBar <foorbar@foo.bar>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
gpg: gpg-agent is not available in this session
Enter passphrase:
-x Disables X11 forwarding.
阻止任何X11转发。答案已更新。
我在PvdL的答案中发现了“完整示例”,这有点令人困惑,这是我的工作:
ssh -X machine
# work hack hack work until I need something from gpg
ssh -x localhost -p$port
gpg2 --decrypt file.gpg
# enter password to pinentry
exit
# now the key is unlocked in gpg-agent, and I can keep decrypting files
# from my X ssh session without being asked for the password
如果这样做export GPG_TTY=$(tty)
,unset DISPLAY
它将显示一个TLI对话框,要求输入密码。输入正确的密码短语即可对其进行解密。
如果您不执行上述GPG_TTY导出,并且未设置DISPLAY,则它将使用X Windows。如果您从启用了X11转发的MS-Windows系统启动了会话(例如PuTTY),则它想将X-Window对话框发送到MS Windows系统。您可以在Windows上使用诸如Exceed或Cygwin / X之类的X模拟器,以使X-Window提示输入密码短语出现在MS-Windows框中。
但是,您可以通过运行带有--batch
option 的命令行并使用option 设置密码来消除设置GPG_TTY和取消设置DISPLAY以及获取TLI或GUI的需要--passphrase
:
gpg --batch --passphrase "<passphrase>" -o "<decrypted output file name>" --decrypt "<encrypted input file name>"
今天,所有3种方法都对运行gnupg2的RHEL6有用。
DISPLAY="" gpg2 ...
帮助了我,我还预先安装了pinentry-curses + pinentry-tty,不确定它们是否绝对必要