gpg-agent with OpenSSH on Windows

Gerhard Poul gerhard.poul at
Mon May 8 15:51:47 CEST 2017

On Sun, Apr 23, 2017 at 7:01 PM, Werner Koch <wk at> wrote:
> On Thu, 20 Apr 2017 09:15, gerhard.poul at said:
>> I opened an issue [2] and it seems that ssh-add has been adapted to use
>> named pipes on Windows, wheres that is not the mechanism that gpg-agent
> Arghh.  Named Pipes under Windows are very hard to use as an emulation
> for local sockets.  The problem is that there is no mechanism to make
> sure that they work only on the local machine.  With the right
> credentials you can use them remotely - which is a bad idea to implement
> a local (ie. non-remote) IPC.

I'm not saying named pipes are the right choice, but that's what
they've currently implemented in this beta. There also seems to be
some documentation or at least newsgroup posts about how to restrict
named pipes to only be used locally, but it requires some specific
settings and I've not tested whether it works as described.

> Frankly, OpenSSH should not use that and resort to our or the new Cygwin
> way of emulating local sockets.

It might be worthwhile to wait and see whether the code is going to
merged as-is or not before planning how to proceed.

> On Unix we use plain local sockets.  On Windows we listen on
> for a TCP connection; the port and a cookie is given in a file created
> by the server and thus the connection is secured using file permissions.
> Cygwin does something very similar.

This should work with named pipes as well.


More information about the Gnupg-devel mailing list