Remote forwarding gnupg extra-socket?

Andrew Gallagher andrewg at andrewg.com
Fri Mar 27 12:07:09 CET 2020


Hi, Daniel.

On 27/03/2020 04:09, Daniel Kahn Gillmor wrote:
>
> There has been some discussion about this over on the SSH bugtracker:

I think token support is a good plan. Thanks.

>> Can we please PLEASE have GPG_AGENT_SOCK back in the short term?
> 
> I'm not convinced that this is a good idea; more configurability means
> more ways that people can break their setups, and debugging is even
> harder.

I absolutely agree that removing this is a good idea in the medium/long
term; the problem is that in the short term we have lost functionality.

>> The ssh-agent protocol allows for vendor-specific protocol extensions,
>> which would appear to be perfectly suited for this:
>>
>> https://tools.ietf.org/id/draft-miller-ssh-agent-01.html#rfc.section.4.7
> 
> this is a very interesting suggestion, but i'm not sure exactly how it
> would work.  can you describe it in more detail?  At the beginning of
> this message, it looks like you were talking about forwarding the
> extra-socket, and now it looks like you're talking about forwarding the
> ssh-agent emulation.  Are you talking about the same concern here?
> they're (at least subtly) different.

I'm suggesting that the ssh-agent emulation protocol could encapsulate
the extra-socket protocol using a vendor extension, removing any need to
forward the extra-socket.

So in pseudo-protocol, with "gnupg-agent at gnupg.org" as the vendor
extension, and the encoded gnupg-agent messages serialised as an array
of octets:

```
SSH_AGENTC_EXTENSION "gnupg-agent at gnupg.org" gnupg_agent_request
```

This would return:

```
SSH_AGENT_SUCCESS gnupg_agent_response
```

or

```
SSH_AGENT_EXTENSION_FAILURE gnupg_agent_response
```

> Also, how is the remote gpg-agent supposed to know that there is some
> other backend it should talk to (for either ssh-agent or any of the
> gpg-agent sockets)?

It wouldn't be a remote gpg-agent, it would be a remote gpg client. If
it detected SSH_AUTH_SOCK in its environment it would make an ssh `query
extension` request on SSH_AUTH_SOCK, as per
https://tools.ietf.org/id/draft-miller-ssh-agent-01.html#rfc.section.4.7.1

```
SSH_AGENTC_EXTENSION "query"
```

To which a successful reply would be something like

```
SSH_AGENT_SUCCESS "gnupg-agent at gnupg.org"
```

Otherwise it would fall back on normal behaviour.

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20200327/17974aa8/attachment.sig>


More information about the Gnupg-devel mailing list