Remote forwarding gnupg extra-socket?
andrewg at andrewg.com
Fri Mar 27 15:41:23 CET 2020
On 27/03/2020 13:20, Werner Koch wrote:
> Actually --extra-socket was introduced with 2.1.1 and the /var/run
> standard location was introduced with 2.1.13. So I don't understand why
> you think anything has changed for --extra-socket except that it is now
> always generated unless you configure "extra-socket /dev/null"
It's the standard location that causes the issue, so it is since 2.1.13,
> XDG_RUNTIME_DIR is not used:
> We use /run/user/<uid> instead.
OK, but this is unpredictable for the same reasons that XDG_RUNTIME_DIR
is unpredictable - you cannot tell what $UID is from the remote side, so
you don't know where to tell ssh to create the extra socket.
> You mean you are running a gpg-agent on the remote box as well?
Maybe, depending on whether I left myself logged in on the physical console.
> in this case you should use a different home directory for the remote use
> of gpg-agent.
Yes, but won't all gpgs on the remote machine expect the extra-socket to
be under /var/run/$UID, regardless of $GNUPGHOME? And even if we solve
the local vs remote issue, we don't solve the issue of two simultaneous
remote connections, unless we create many $GNUPGHOMEs and track them
manually (a slightly contrived example, but it shows that the "solution"
is only a workaround).
The extra-socket only works reliably if it is unique per-session, but it
is not stored in a per-session location.
> gpg-agent does not emulate ssh-agent but
> implements the ssh-agent-protocol
Yes, that's what I meant. Apologies for the sloppy terminology.
>> The ssh-agent protocol allows for vendor-specific protocol extensions,
>> which would appear to be perfectly suited for this:
> Yes, it would be nice if the client site (ssh) would send certain
> environment variables via the ssh-agent-protocol, so that gpg-agent
> knows hows where to pop up the pinentry (that is what the gpg does).
> It would also be very nice if ssh could be extended to call a configured
> tool if it does not find an agent and then try again. This way we would
> get auto start also via ssh.
Sending environment variables would require code changes to ssh(d),
whereas vendor extensions would only require changes to gpg(-agent) -
they are treated as black boxes by ssh(d) and passed verbatim.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-devel