SSH generic socket forwarding for gpg-agent

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Feb 16 10:15:10 CET 2015


On Mon 2015-02-16 02:50:15 -0500, Doug Barton wrote:
> On 2/15/15 11:41 PM, Daniel Kahn Gillmor wrote:
>> In situations where you want to make sure that you know (and approve of)
>> the use of the agent by the remote machine, you'd like a prompt to
>> appear within your (local, trusted) environment.
>
> agent forwarding is off by default, and has to be enabled either on the 
> command line, or in a config file. Why is further user interaction on 
> this point necessary/desirable?

Because saying "i want to forward my agent to remote system X so that i
can sign a couple of specific messages on that host" is different than
saying "i want to forward my agent to remote system X so that X can make
as many uses of my agent's secret key material as can be pushed down the
network pipe".

We're now explicitly enabling people to forward the agent
(e.g. --extra-socket in gpg-agent(1)); we should be providing
appropriate usage controls to accompany that functionality.

   --dkg



More information about the Gnupg-users mailing list