New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gpg-agent running, but Sequel still asking for server password #2619

Open
jacquesbh opened this Issue Nov 18, 2016 · 15 comments

Comments

Projects
None yet
3 participants
@jacquesbh
Copy link

jacquesbh commented Nov 18, 2016

Hi!

It is really strange. I do a lot of ssh connections using the terminal.
The only SSH key I have on some servers is my ssh public key from my gpg key.
Special part is that my gpg key is stored in my smartcard.

So, to connect to these servers I use the gpg-agent. It works well in terminal as it asks for the PIN of the smartcard and connects to the server.

When I used Sequel Pro, before going to Sierra, I was able to connect every time without any problem.
Now, on Sierra, sometimes it works, sometimes not. I don't know why.

I'll be happy to help about this!

I use Sequel Pro to connect to a few servers, like 20. So, it is really blocking me. I mean that I would be really happy to help :)

@dmoagx

This comment has been minimized.

Copy link
Member

dmoagx commented Nov 18, 2016

I don't have a GPG smartcard, so I have no easy way to reproduce this.

What do you mean by "doesn't work"? What exactly happens?
Which version of Sequel Pro?

@jacquesbh

This comment has been minimized.

Copy link

jacquesbh commented Nov 18, 2016

Hi,

The version is the 1.1.2. The last nightly (50a0f18). is doing the same.

When you use the GPG Agent (with or without smartcard, the agent takes care of that, so it's not a problem if you don't have one I think) it should ask for the passphrase of your GPG key (or the PIN of the smartcard in my case) and not the SSH password.

But how it works now is that the SSH attempt asks for the SSH password, not the GPG passphrase.

Ok, here is an example:

Using SSH in the terminal, with the gpg-agent: (I have a smartcard so it asks for my PIN)

ssh-with-agent

It asks for the PIN via the gpg-agent.

Whe I use Sequel, before, the behavior was exactly the same, I had the PIN entry window then it was connecting well.

Now I have that:

with-sequel-asking-password

So, it is not asking for the PIN anymore: or even if I had enter it before, it should use the gpg-agent and finish to login. Instead it asks for the SSH user's password.

Let me know if you need more explanation.

Thanks !

@dmoagx

This comment has been minimized.

Copy link
Member

dmoagx commented Nov 18, 2016

This is the SSH command Sequel Pro uses (slightly changed):

/usr/bin/ssh -v -S none -o ControlMaster=no -o ExitOnForwardFailure=yes -o ConnectTimeout=10 -o NumberOfPasswordPrompts=3 -o TCPKeepAlive=no -o ServerAliveInterval=60 -o ServerAliveCountMax=1 ssh-user@ssh-host -L random-port:mysql-host:mysql-port

Does that work when you run it from Terminal?

@jacquesbh

This comment has been minimized.

Copy link

jacquesbh commented Nov 18, 2016

Yep it works.

@dmoagx

This comment has been minimized.

Copy link
Member

dmoagx commented Nov 18, 2016

Do you have any special configuration in ~/.ssh/config?
Are there any environment variables containing SSH or GPG?

@jacquesbh

This comment has been minimized.

Copy link

jacquesbh commented Nov 18, 2016

No special config in ~/.ssh/config. Nothing I didn't had before.

Yes about the env:

SSH_AGENT_PID=3715
SSH_AUTH_SOCK=/Users/jacques/.gnupg/S.gpg-agent.ssh
GPG_AGENT_INFO=/Users/jacques/.gnupg/S.gpg-agent:3715:1
GPG_TTY=/dev/ttys005
@jacquesbh

This comment has been minimized.

Copy link

jacquesbh commented Nov 18, 2016

The SSH_AUTH_SOCK tells SSH to use the gpg-agent. Maybe this is the one missing?

@dmoagx

This comment has been minimized.

Copy link
Member

dmoagx commented Nov 18, 2016

SSH_AUTH_SOCK should usually be passed through.
You can check that by saving this script

#!/bin/bash

env > $HOME/Desktop/userenv.txt
/usr/bin/ssh $*

as a .sh file, making it executable and then setting it as the SSH client in Sequel Pro > Preferences > Network.

@jacquesbh

This comment has been minimized.

Copy link

jacquesbh commented Nov 18, 2016

Yes it is, but not the good one.

SP_CONNECTION_VERIFY_HASH=10924678377293113929
SHELL=/bin/zsh
SP_CONNECTION_NAME=SequelPro-1237143272166380200
TMPDIR=/var/folders/5g/bszs4p9x0jq7ls4hqthht3bc0000gn/T/
Apple_PubSub_Socket_Render=/private/tmp/com.apple.launchd.7EeXuDFShO/Render
USER=jacques
SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.MuzNghRhka/Listeners
__CF_USER_TEXT_ENCODING=0x1F5:0x0:0x0
PATH=/usr/bin:/bin:/usr/sbin:/sbin
PWD=/
XPC_FLAGS=0x0
SP_PASSWORD_METHOD=2
XPC_SERVICE_NAME=0
SSH_ASKPASS=/Applications/Sequel Pro.app/Contents/Resources/SequelProTunnelAssistant
SHLVL=1
HOME=/Users/jacques
LOGNAME=jacques
DISPLAY=:0
_=/usr/bin/env
@jacquesbh

This comment has been minimized.

Copy link

jacquesbh commented Nov 18, 2016

I have two agents in my ~/Library/LaunchAgents:

local.gpg-agent.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>Label</key>
    <string>local.gpg-agent</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/start-gpg-agent</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

And local.sshenv.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>setenv.SSH_AUTH_SOCK</string>
<key>ProgramArguments</key>
<array>
<string>/bin/launchctl</string>
<string>setenv</string>
<string>SSH_AUTH_SOCK</string>
<string>/Users/jacques/.gnupg/S.gpg-agent.ssh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>ServiceIPC</key>
<false/>
</dict>
</plist>

So, with the local.sshenv.plist the env SSH_AUTH_SOCK should be good…

@jacquesbh

This comment has been minimized.

Copy link

jacquesbh commented Jan 27, 2017

@dmoagx Do you have any idea about this issue?

@dmoagx

This comment has been minimized.

Copy link
Member

dmoagx commented Jan 28, 2017

No, I have no idea.

Sequel Pro doesn't touch the SSH_AUTH_SOCK envvar so it should simply be passed through:

$ export SSH_AUTH_SOCK=/foo/bar
$ /Applications/Sequel\ Pro.app/Contents/MacOS/Sequel\ Pro &
(connect)
$ cat userenv.txt | grep AUTH_SOCK
SSH_AUTH_SOCK=/foo/bar

Which would mean that OS X does not pass the correct envvar when you launch Sequel Pro.
You can try to launch Sequel Pro from Terminal, but that often causes different problems with SSH.

@jacquesbh

This comment has been minimized.

Copy link

jacquesbh commented Jan 28, 2017

You saved my day.

It works when I launch it from the Terminal.

From Sequel Pro app :

SP_CONNECTION_VERIFY_HASH=5763017794211042597
SHELL=/bin/zsh
SP_CONNECTION_NAME=SequelPro-15457277167815604874
TMPDIR=/var/folders/5g/bszs4p9x0jq7ls4hqthht3bc0000gn/T/
Apple_PubSub_Socket_Render=/private/tmp/com.apple.launchd.QHho1lG8ih/Render
USER=jacques
SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.ahrCzRD42d/Listeners
__CF_USER_TEXT_ENCODING=0x1F5:0x0:0x0
PATH=/usr/bin:/bin:/usr/sbin:/sbin
PWD=/
XPC_FLAGS=0x0
SP_PASSWORD_METHOD=2
XPC_SERVICE_NAME=0
SSH_ASKPASS=/Applications/Sequel Pro.app/Contents/Resources/SequelProTunnelAssistant
SHLVL=1
HOME=/Users/jacques
LOGNAME=jacques
DISPLAY=:0
_=/usr/bin/env

And here from the Terminal:

VAGRANT_VMWARE_CLONE_DIRECTORY=~/.vmimages/
SSH_AGENT_PID=470
SP_CONNECTION_VERIFY_HASH=2994646513265456174
TERM_PROGRAM=iTerm.app
GPG_AGENT_INFO=/Users/jacques/.gnupg/S.gpg-agent:470:1
SP_CONNECTION_NAME=SequelPro-9751459168004397961
TERM=xterm-256color
SHELL=/bin/zsh
TMPDIR=/var/folders/5g/bszs4p9x0jq7ls4hqthht3bc0000gn/T/
Apple_PubSub_Socket_Render=/private/tmp/com.apple.launchd.QHho1lG8ih/Render
TERM_PROGRAM_VERSION=3.0.13
TERM_SESSION_ID=w0t0p0:57D6C816-70CA-40B6-9138-E07F0170811C
LS_ARGS=-Gh
LC_ALL=en_US.UTF-8
USER=jacques
ZSH_TMUX_TERM=screen-256color
_ZSH_TMUX_FIXED_CONFIG=/Users/jacques/.oh-my-zsh/plugins/tmux/tmux.extra.conf
SSH_AUTH_SOCK=/Users/jacques/.gnupg/S.gpg-agent.ssh
__CF_USER_TEXT_ENCODING=0x1F5:0x0:0x0
PAGER=less
LSCOLORS=Gxfxcxdxbxegedabagacad
PATH=/Users/jacques/.platformsh/bin:/usr/local/sbin:/usr/local/MacGPG2/bin:/usr/local/bin:/Users/jacques/bin:/Users/jacques/.bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/jacques/Library/Android/sdk/tools/:/Users/jacques/Library/Android/sdk/platform-tools:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/MacGPG2/bin:/Users/jacques/.composer/vendor/bin
_=/usr/bin/env
PWD=/
EDITOR=vim
LANG=en_US.UTF-8
ITERM_PROFILE=Default
XPC_FLAGS=0x0
SP_PASSWORD_METHOD=2
SSH_ASKPASS=/Applications/Sequel Pro.app/Contents/Resources/SequelProTunnelAssistant
XPC_SERVICE_NAME=0
GPG_TTY=/dev/ttys001
POWERLINE_CONFIG_COMMAND=/usr/local/bin/powerline-config
COLORFGBG=7;0
SHLVL=2
HOME=/Users/jacques
UPDATE_ZSH_DAYS=13
ITERM_SESSION_ID=w0t0p0:57D6C816-70CA-40B6-9138-E07F0170811C
LOGNAME=jacques
LESS=-R
LC_CTYPE=UTF-8
DISPLAY=:0

Much more things in Terminal.

I created a shortcut to launch it from the Terminal.

@philihp

This comment has been minimized.

Copy link

philihp commented Feb 7, 2017

I'm seeing the same issue. It looks to me like Sequel Pro is running with the wrong SSH_AUTH_SOCK, and needs to be going to .gnupg/S.gpg-agent.ssh, rather than the default system Listener.

@jacquesbh

This comment has been minimized.

Copy link

jacquesbh commented Feb 8, 2017

I created an app with Automator:

image

In by ~/.bash_profile I have:

GPG_TTY=$(tty)
export GPG_TTY
if [ -f "${HOME}/.gpg-agent-info" ]; then
  . "${HOME}/.gpg-agent-info"
  export GPG_AGENT_INFO
  export SSH_AUTH_SOCK
  export SSH_AGENT_PID
fi

Then I can still use Spotlight to open my Sequel Pro app (using the app "Open Sequel Pro").

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment