SSH generic socket forwarding for gpg-agent
Werner Koch
wk at gnupg.org
Thu Dec 4 09:23:52 CET 2014
On Tue, 11 Nov 2014 18:35, matt at monaco.cx said:
> Does anyone have gpg-agent forwarding working with SSH's recent generic socket
> forwarding? Does it still require socat on one end, because I've only been able
> to specify a socket path on the left-hand side of the forwarding
> specification
Yes, it works for me. However, I tested it with the current development
version of 2.1 which adds an extra features:
--extra-socket NAME
Also listen on native gpg-agent connections on the given
socket. The intended use for this extra socket is to
setup a Unix domain socket forwarding from a remote
machine to this socket on the local machine. A gpg
running on the remote machine may then connect to the
local gpg-agent and use its private keys. This allows to
decrypt or sign data on a remote machine without exposing
the private keys to the remote machine.
The documentation on how to use Unix domain sockets with ssh is a bit
sparse. You probably want to use "-o StreamLocalBindUnlink=yes" when
connecting to the remote host and you have to enable the forwarding
features (look for Stream* options).
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list