Remote use of keys on smartcard via gnupg-agent?

Jimmy Kaplowitz jimmy at kaplowitz.org
Wed Mar 29 11:45:46 CEST 2006


Hi Raphaël,

On Wed, Mar 29, 2006 at 11:26:08AM +0200, Raphaël Poss wrote:
> People who are serious about security would probably like to have the 
> crypto done by the smartcard itself, or at least the computer they are 
> sitting in front of. Therefore a better setup would be to have the 
> encrypted data transmitted from your distant ssh host to your local host 
> for decryption, and decrypted data sent back to your ssh host for use 
> (or just viewed locally).

Isn't that basically what gpg-agent does already for ssh authentication?
If I sit at machine A with a smartcard plugged in, connect to machine B
with an authentication key from the smartcard, and then try to connect
from machine B to machine C, that same authentication key on the
smartcard will be available despite it not being stored on either
machine B or machine C. The request will be tunneled by gpg-agent over
ssh, and the password prompt and cryptographic interaction with the key
will happen locally on machine A.

Am I misunderstanding how that works? If not, I'm just asking for the
same ability to forward access to keys over ssh but use them remotely
(such as on machine B or C) for any GPG signing and decryption, as well
as ssh authentication.  If I understand this right, the crypto happens
on the smartcard in any case.

> 1. connect to your remote ssh host using remote port forwarding, with 
> -R4242:localhost:4242
[...]
>   while true; do nc -l 4242 | gpg ; done
[...]
> 3. configure your remote mutt to send the encrypted data to port 4242 on 
> the same host, so that it gets forwarded back via your ssh connection.

Sometimes I use gpg remotely on the command line, and even within mutt,
there are many different commands it might want to issue to gpg. There
are also other programs I might want to start using, like a console
password manager, that would also want to access the gpg key. This seems
like a very clumsy way to do what gpg-agent already does very well on
the local machine for signing/decrypting/authenticating and on remote
machines for authenticating. I just want to equalize its capabilities on
remote machines with those on local machines, while keeping the
private-key crypto local to the smartcard as it already is with
gpg-agent.

Still, thanks for giving a first stab at a solution. Hopefully we'll be
able to figure out something, whether or not involving code changes.

- Jimmy Kaplowitz
jimmy at kaplowitz.org



More information about the Gnupg-users mailing list