yubikey: Fix gpg-agent tty.

1 files changed, 14 insertions, 4 deletions

diff --git a/config/yubikey.nix b/config/yubikey.nix
index 275a645..6275de0 100644
--- a/config/yubikey.nix
+++ b/config/yubikey.nix
@@ -13,7 +13,6 @@ let
 in
 {
   services.pcscd.enable = true;
-  environment.systemPackages = yubikey-pkgs;
   services.udev.packages = yubikey-pkgs;
 
   # Use GPG agent instead.
@@ -32,8 +31,19 @@ in
     };
   };
 
-  environment.variables = {
-    SSH_AUTH_SOCK =
-        ''''${XDG_RUNTIME_DIR:-"/run/user/\$(id -u)"}/gnupg/S.gpg-agent.ssh'';
+  environment = {
+    systemPackages = yubikey-pkgs;
+
+    # Without this, the gpg-agent has no way to ask the user for a password
+    # when invoked from ssh.
+    # See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851440
+    extraInit = ''
+      gpg-connect-agent updatestartuptty /bye
+    '';
+
+    variables = {
+      SSH_AUTH_SOCK =
+          ''''${XDG_RUNTIME_DIR:-"/run/user/\$(id -u)"}/gnupg/S.gpg-agent.ssh'';
+    };
   };
 }