gpg invocation on machines sharing an NFS-mounted $HOME totally broken with 2.1 (was Re: agent forwarding (via ssh)...)

Nix nix at esperi.org.uk
Mon Sep 21 13:58:17 CEST 2015


On 21 Sep 2015, nix at esperi.org.uk told this:
> The underying problem here is that Unix-domain sockets with a fixed name
> and shared filesystems are simply not compatible concepts, because
> AF_UNIX bind() always creates a new file so any given socket can only be
> used in one machine in a cluster at once, even though AF_UNIX sockets
> are purely local. Because of this, gpg 2.1 *has* to grow back an option
> to allow its agent socket to be moved, either to a different path or to
> a machine-unique name (preferably the former, it's less messy), or gpg
> agent forwarding will forever be hopeless on machines with NFS-mounted
> $HOMEs.

It's even worse than that. Just *attempting* to do a GPG operation, even
if it's bound to fail because no agent forwarding is in place, will
autostart an agent and break the agent connection on the original
machine, destroying the world in fire.

nix at mutilate 213 /home/nix% gpg-connect-agent /bye
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established

nix at mutilate 214 /home/nix% ls -li .gnupg/S.gpg-agent*
529 srwxr-xr-x 1 nix users 0 Sep 21 12:53 .gnupg/S.gpg-agent
537 srwxr-xr-x 1 nix users 0 Sep 21 12:53 .gnupg/S.gpg-agent.ssh

nix at mutilate 215 /home/nix% gpg --card-status

Application ID ...: D2760001240102000006036395400000
Version ..........: 2.0
Manufacturer .....: Yubico
[...]

nix at mutilate 216 /home/nix% ssh spindle gpg --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error

nix at mutilate 217 /home/nix% ls -li .gnupg/S.gpg-agent*
371 srwxr-xr-x 1 nix users 0 Sep 21 12:55 .gnupg/S.gpg-agent
498 srwxr-xr-x 1 nix users 0 Sep 21 12:55 .gnupg/S.gpg-agent.ssh

# oops!

nix at mutilate 218 /home/nix% gpg --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error

We are now in serious trouble -- gpg-agent cannot do anything, and half
the time it's wedged so hard only kill -9 will get rid of it.

-- 
NULL && (void)



More information about the Gnupg-users mailing list