Remote forwarding gnupg extra-socket?

Werner Koch wk at gnupg.org
Sat Mar 28 11:34:26 CET 2020 

On Fri, 27 Mar 2020 14:41, Andrew Gallagher said:
> On 27/03/2020 13:20, Werner Koch wrote:
>> 
>> Actually --extra-socket was introduced with 2.1.1 and the /var/run
>> standard location was introduced with 2.1.13.  So I don't understand why
>> you think anything has changed for --extra-socket except that it is now
>> always generated unless you configure "extra-socket /dev/null"
>
> It's the standard location that causes the issue, so it is since 2.1.13,
> yes.
>
>> XDG_RUNTIME_DIR is not used:
> ...
>> We use /run/user/<uid> instead.
>
> OK, but this is unpredictable for the same reasons that XDG_RUNTIME_DIR
> is unpredictable - you cannot tell what $UID is from the remote side, so
> you don't know where to tell ssh to create the extra socket.

What's wrong with

  $ ssh kerckhoffs.g10code.com gpgconf --list-dirs agent-ssh-socket
  /run/user/1000/gnupg/S.gpg-agent.ssh

>> You mean you are running a gpg-agent on the remote box as well?
>
> Maybe, depending on whether I left myself logged in on the physical console.

The standard use case is to run gpg on a server which you don't trust to
hold your private key.  When ssh-ing to anther desktop (I have to do
this now often to my other office) you need to script something.  Yes,
it would be cool if you could advice ssh with a simple option to send
some meta information to the server to be evaluated in .bashrc; but you
can do this also with an ssh wrapper and a dedicated envvar you allow in
sshd_config's AcceptEnv option.


> Yes, but won't all gpgs on the remote machine expect the extra-socket to
> be under /var/run/$UID, regardless of $GNUPGHOME? And even if we solve

There is a mechanism which allows this.  For example if I do a manual
test in a dedicated homedir:

 mybox:~/b/gnupg/test-card(GnuPGTest)$ gpgconf --list-dirs agent-ssh-socket
 /run/user/1000/gnupg/d.ex81qn9mjkp3y5c94htkx8hy/S.gpg-agent.ssh

That is the homedir is hashed and appended to the standard socket dir.
Although things work automagically, gpgconf has two options to support
this:

  --create-socketdir
    Create a directory for sockets below /run/user or /var/run/user.
    This is command is only required if a non default home directory is
    used and the /run based sockets shall be used.  For the default home
    directory GnuPG creates a directory on the fly.

  --remove-socketdir
    Remove a directory created with command --create-socketdir.

[I just noticed that I should update the description, it is actually
 only needed if you want to create the directory prior to starting any
 GnuPG daemon.]

> The extra-socket only works reliably if it is unique per-session, but it
> is not stored in a per-session location.

A session is defined by the GNUPGHOME envar or --homedir options.  That
works the same on all platforms.

> Sending environment variables would require code changes to ssh(d),
> whereas vendor extensions would only require changes to gpg(-agent) -
> they are treated as black boxes by ssh(d) and passed verbatim.

And how do you set this vendor extensions with ssh(1)?


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 2734 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20200328/2c985185/attachment.sig>

More information about the Gnupg-devel mailing list