SSH generic socket forwarding for gpg-agent

Matthew Monaco matt at
Thu Feb 12 08:42:06 CET 2015

On 12/04/2014 01:23 AM, Werner Koch wrote:
> On Tue, 11 Nov 2014 18:35, matt at said:
>> Does anyone have gpg-agent forwarding working with SSH's recent generic socket
>> forwarding? Does it still require socat on one end, because I've only been able
>> to specify a socket path on the left-hand side of the forwarding
>> specification
> Yes, it works for me.  However, I tested it with the current development
> version of 2.1 which adds an extra features:
>    --extra-socket NAME
>           Also listen on native gpg-agent connections on the given
>           socket.  The intended use for this extra socket is to
>           setup a Unix domain socket forwarding from a remote
>           machine to this socket on the local machine.  A gpg
>           running on the remote machine may then connect to the
>           local gpg-agent and use its private keys.  This allows to
>           decrypt or sign data on a remote machine without exposing
>           the private keys to the remote machine.
> The documentation on how to use Unix domain sockets with ssh is a bit
> sparse.  You probably want to use "-o StreamLocalBindUnlink=yes" when
> connecting to the remote host and you have to enable the forwarding
> features (look for Stream* options).

Hey, thanks for the info! Just to follow up, I was able to get it working with e.g:

ssh <host> \
   -R <remote-homedir>/.gnupg/S.gpg-agent:<local-homedir>/.gnuppg/S.gpg-agent

However, this only works when the private material is in private-keys-v1.d; it
doesn't work with a smartcard =/

-oStreamLocalBindUnlick doesn't work either. I need to remove the socket on the
remote end manually.

And finally, I don't understand where --extra-socket comes into play here. In
the 2.1.1 release notes, you say it supports a restricted command set. Is there
a security risk, or is it just to prevent mistakes? Also, is the expected use
then to forward S.gpg-agent on the remote end to e.g., S.gpg-agent-extra on the
local, or should the remote end have a different name as well?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150212/6526fc53/attachment.sig>

More information about the Gnupg-users mailing list