Remote forwarding gnupg extra-socket?

Andrew Gallagher andrewg at
Fri Mar 27 15:41:23 CET 2020

On 27/03/2020 13:20, Werner Koch wrote:
> Actually --extra-socket was introduced with 2.1.1 and the /var/run
> standard location was introduced with 2.1.13.  So I don't understand why
> you think anything has changed for --extra-socket except that it is now
> always generated unless you configure "extra-socket /dev/null"

It's the standard location that causes the issue, so it is since 2.1.13,

> XDG_RUNTIME_DIR is not used:
> We use /run/user/<uid> instead.

OK, but this is unpredictable for the same reasons that XDG_RUNTIME_DIR
is unpredictable - you cannot tell what $UID is from the remote side, so
you don't know where to tell ssh to create the extra socket.

> You mean you are running a gpg-agent on the remote box as well?

Maybe, depending on whether I left myself logged in on the physical console.

> Right
> in this case you should use a different home directory for the remote use
> of gpg-agent.

Yes, but won't all gpgs on the remote machine expect the extra-socket to
be under /var/run/$UID, regardless of $GNUPGHOME? And even if we solve
the local vs remote issue, we don't solve the issue of two simultaneous
remote connections, unless we create many $GNUPGHOMEs and track them
manually (a slightly contrived example, but it shows that the "solution"
is only a workaround).

The extra-socket only works reliably if it is unique per-session, but it
is not stored in a per-session location.

> gpg-agent does not emulate ssh-agent but
> implements the ssh-agent-protocol

Yes, that's what I meant. Apologies for the sloppy terminology.

>> The ssh-agent protocol allows for vendor-specific protocol extensions,
>> which would appear to be perfectly suited for this:
> Yes, it would be nice if the client site (ssh)  would send certain
> environment variables via the ssh-agent-protocol, so that gpg-agent
> knows hows where to pop up the pinentry (that is what the gpg does).
> It would also be very nice if ssh could be extended to call a configured
> tool if it does not find an agent and then try again.  This way we would
> get auto start also via ssh.

Sending environment variables would require code changes to ssh(d),
whereas vendor extensions would only require changes to gpg(-agent) -
they are treated as black boxes by ssh(d) and passed verbatim.

Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-devel mailing list