Remote forwarding gnupg extra-socket?

Andrew Gallagher andrewg at
Fri Mar 27 12:07:09 CET 2020

Hi, Daniel.

On 27/03/2020 04:09, Daniel Kahn Gillmor wrote:
> There has been some discussion about this over on the SSH bugtracker:

I think token support is a good plan. Thanks.

>> Can we please PLEASE have GPG_AGENT_SOCK back in the short term?
> I'm not convinced that this is a good idea; more configurability means
> more ways that people can break their setups, and debugging is even
> harder.

I absolutely agree that removing this is a good idea in the medium/long
term; the problem is that in the short term we have lost functionality.

>> The ssh-agent protocol allows for vendor-specific protocol extensions,
>> which would appear to be perfectly suited for this:
> this is a very interesting suggestion, but i'm not sure exactly how it
> would work.  can you describe it in more detail?  At the beginning of
> this message, it looks like you were talking about forwarding the
> extra-socket, and now it looks like you're talking about forwarding the
> ssh-agent emulation.  Are you talking about the same concern here?
> they're (at least subtly) different.

I'm suggesting that the ssh-agent emulation protocol could encapsulate
the extra-socket protocol using a vendor extension, removing any need to
forward the extra-socket.

So in pseudo-protocol, with "gnupg-agent at" as the vendor
extension, and the encoded gnupg-agent messages serialised as an array
of octets:

SSH_AGENTC_EXTENSION "gnupg-agent at" gnupg_agent_request

This would return:

SSH_AGENT_SUCCESS gnupg_agent_response


SSH_AGENT_EXTENSION_FAILURE gnupg_agent_response

> Also, how is the remote gpg-agent supposed to know that there is some
> other backend it should talk to (for either ssh-agent or any of the
> gpg-agent sockets)?

It wouldn't be a remote gpg-agent, it would be a remote gpg client. If
it detected SSH_AUTH_SOCK in its environment it would make an ssh `query
extension` request on SSH_AUTH_SOCK, as per


To which a successful reply would be something like

SSH_AGENT_SUCCESS "gnupg-agent at"

Otherwise it would fall back on normal behaviour.

Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-devel mailing list