gpg-agent refuses SSH keys with ssh-add reporting "agent refused operation"
The answer was apparently to run:
echo UPDATESTARTUPTTY | gpg-connect-agent
I have no idea why the pinentry program worked fine for other uses such as decrypting files, but didn't work for ssh-add
.
While this now works, it also makes a copy of the ssh private key that doesn't show up under gpg -Kv
, and furthermore doesn't seem to allow you to change the passphrase on your private key (since you can't edit it with --edit-key
). Basically I'm pretty unhappy with the way gpg-agent
provides low visibility into where your secrets are being copied. If you hit this question because you hoped gpg-agent
might be a better alternative to ssh-agent
, then I'd encourage you to stick to ssh-agent
instead of trying out my answer. The main reason to prefer gpg-agent
is if you need to for smart-card use.
In my case, the problem was the pinentry program used. I was using pinentry-emacs. It seems it doesn't handle the dual text field entry window prompt that ssh-add
triggers when used with gpg-agent.
Removing pinentry-emacs and installing the GTK pinentry solved the problem here.