SSH generic socket forwarding for gpg-agent

Werner Koch wk at
Thu Dec 4 09:23:52 CET 2014

On Tue, 11 Nov 2014 18:35, matt at said:
> Does anyone have gpg-agent forwarding working with SSH's recent generic socket
> forwarding? Does it still require socat on one end, because I've only been able
> to specify a socket path on the left-hand side of the forwarding
> specification

Yes, it works for me.  However, I tested it with the current development
version of 2.1 which adds an extra features:

   --extra-socket NAME
          Also listen on native gpg-agent connections on the given
          socket.  The intended use for this extra socket is to
          setup a Unix domain socket forwarding from a remote
          machine to this socket on the local machine.  A gpg
          running on the remote machine may then connect to the
          local gpg-agent and use its private keys.  This allows to
          decrypt or sign data on a remote machine without exposing
          the private keys to the remote machine.

The documentation on how to use Unix domain sockets with ssh is a bit
sparse.  You probably want to use "-o StreamLocalBindUnlink=yes" when
connecting to the remote host and you have to enable the forwarding
features (look for Stream* options).



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list