Yubikey + GNUPG 2.1.14 + GPG Agent Forwarding + Mutt 1.6.0 (gpgme 1.6.0): Not asking for PIN for smartcard on first use of an encryption key

Peter Lebbing peter at digitalbrains.com
Thu Jul 21 11:26:03 CEST 2016 

On 21/07/16 08:00, Thomas Glanzmann wrote:
> From my point of view gpg-agent should ignore any DISPLAY
> settings coming over the unix socket, because it already knows the
> DISPLAY location.

GnuPG doesn't expect that you forward the normal gpg-agent socket. For
forwarding to a remote machine, there is the gpg-agent.conf option

extra-socket [socket file]

which creates an extra socket for forwarding. You can then forward this
socket the way you do now.

One gpg-agent can serve multiple local DISPLAYs. It is exactly intended
behaviour that gpg-agent listens to changes of DISPLAY; it tries to
adapt to the client inquiring the agent.

>From the gpg-agent man page:
> --extra-socket name
>        Also listen on native gpg-agent connections on the given  socket.
>        The  intended use for this extra socket is to setup a Unix domain
>        socket forwarding from a remote machine to  this  socket  on  the
>        local machine.  A gpg running on the remote machine may then con‐
>        nect to the local gpg-agent  and  use  its  private  keys.   This
>        allows to decrypt or sign data on a remote machine without expos‐
>        ing the private keys to the remote machine.

I'm a bit surprised you still get a graphical pinentry on your original
display when you unset DISPLAY on the remote side. I would expect it to
try a textual pinentry on the TTY indicated by the remote side, which
probably should fail as well since it is the name of a TTY on the remote
side. I'm probably missing a detail somewhere. The keep-{display,tty}
sounds like it indeed should work correctly, but it is quite restrictive.

HTH,

Peter.

PS: Wow, what an extensive and detailed answer from NIIBE! Cool :-)

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list