=====================================================================
             ___       __  _ __
  ___  _____/ (_)___  / /_(_) /__
 / _ \/ ___/ / / __ \/ __/ / //_/
/  __/ /__/ / / /_/ / /_/ / ,<
\___/\___/_/_/ .___/\__/_/_/|_|
            /_/
=====================================================================

Forwarding gpg-agent Over SSH

2021-12-27 | #git #gpg #unix #linux #ssh

Intro

Basic notes from setting up gpg-agent forwarding[1] between a MacOS and Debian Linux system.

=> 1: https://wiki.gnupg.org/AgentForwarding

Client System

Assuming system is running MacOS install gpg[2] and pinentry (GPG password prompt tool) using Homebrew[3],

=> 2: https://gnupg.org/ | 3: https://brew.sh/

brew install gnupg pinentry-mac

Edit ~/.gnupg/gpg-agent.conf and make sure that ${HOME} is the full path to your users home dir, eg /Users/$USER, this must match what's setup in RemoteForward later, 

default-cache-ttl 600
max-cache-ttl 7200
enable-ssh-support
pinentry-program /usr/local/bin/pinentry-mac
extra-socket $HOME/.gnupg/S.gpg-agent.extra
default-key $GPG_KEY

personal-digest-preferences SHA512

cert-digest-algo SHA512

default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

no-emit-version

Edit `~/.ssh/config` and setup a `RemoteForward`, this is important since the forward is required in order to communicate over a socket. Make sure the `$UID` and `$USER` on the remote and local system are set accordingly, as these will differ depending on the OS and login.

Also double check the socket names that they match up from `~/.gnupg/gpg-agent.conf` and `~/.ssh/config`.

Host $REMOTE_IP
   ForwardAgent yes
   Compression yes
   ForwardX11 yes
   RemoteForward /run/user/$UID/gnupg/S.gpg-agent /Users/${USER}/.gnupg/S.gpg-agent.extra
Remote System

Update /etc/ssh/sshd_config (or wherever it is depending on your OS) configuration to include StreamLocalBindUnlink yes and restart sshd This option will,

Specifies whether to remove an existing Unix-domain socket file for local or remote port forwarding before creating a new one.  If the socket file already exists and StreamLocalBindUnlink is not enabled, ssh will be unable to forward the port to the Unix-domain socket file. This option is only used for port forwarding to a Unix-domain socket file.

Troubleshooting gpg-agent

Sometimes StreamLocalBindUnlink yes doesn't work and the client agent needs restarted and sockets removed from the remote system,

Restart the agent on the client system,

gpg-connect-agent reloadagent /bye
Remove the socket on the remote system,

rm /run/user/1000/gnupg/S.gpg-agent
ssh back into the remote system and gpg-agent forwarding should work again.

References

=> 4: https://web.archive.org/web/20190423113837/https://www.isi.edu/~calvin/gpgagent.htm
Tags

=> ssh | linux | unix | gpg | git


=> Home

Proxy Information



Original URL
gemini://rawtext.club/~ecliptik/_posts/2021-12-27-Forwarding-gpg-agent-over-SSH.gmi


Status Code


Success (20)


Meta
text/gemini; lang=en
Capsule Response Time


482.331265 milliseconds


Gemini-to-HTML Time


1.089775 milliseconds




This content has been proxied by September (ba2dc).