SSH generic socket forwarding for gpg-agent
matt at monaco.cx
Thu Feb 12 08:42:06 CET 2015
On 12/04/2014 01:23 AM, Werner Koch wrote:
> On Tue, 11 Nov 2014 18:35, matt at monaco.cx said:
>> Does anyone have gpg-agent forwarding working with SSH's recent generic socket
>> forwarding? Does it still require socat on one end, because I've only been able
>> to specify a socket path on the left-hand side of the forwarding
> Yes, it works for me. However, I tested it with the current development
> version of 2.1 which adds an extra features:
> --extra-socket NAME
> Also listen on native gpg-agent connections on the given
> socket. The intended use for this extra socket is to
> setup a Unix domain socket forwarding from a remote
> machine to this socket on the local machine. A gpg
> running on the remote machine may then connect to the
> local gpg-agent and use its private keys. This allows to
> decrypt or sign data on a remote machine without exposing
> the private keys to the remote machine.
> The documentation on how to use Unix domain sockets with ssh is a bit
> sparse. You probably want to use "-o StreamLocalBindUnlink=yes" when
> connecting to the remote host and you have to enable the forwarding
> features (look for Stream* options).
Hey, thanks for the info! Just to follow up, I was able to get it working with e.g:
ssh <host> \
However, this only works when the private material is in private-keys-v1.d; it
doesn't work with a smartcard =/
-oStreamLocalBindUnlick doesn't work either. I need to remove the socket on the
remote end manually.
And finally, I don't understand where --extra-socket comes into play here. In
the 2.1.1 release notes, you say it supports a restricted command set. Is there
a security risk, or is it just to prevent mistakes? Also, is the expected use
then to forward S.gpg-agent on the remote end to e.g., S.gpg-agent-extra on the
local, or should the remote end have a different name as well?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users