gpg agent forwarding (via ssh) totally broken with 2.1 and NFS-mounted $HOME

[Nix]

On 21 Sep 2015, Werner Koch spake thusly:

> On Mon, 21 Sep 2015 13:44, nix at esperi.org.uk said:
>
>> catastrophically bad effects on agent forwarding when used in
>> conjunction with an NFS-mounted $HOME.
>
> I know that it is not yet well documented, but thre is a solution for
> remote file systems which do not allow for special files.

Excellent! My google-fu is obviously weak, since I didn't find bug 1752
even though it explicitly mentioned nfs in its title.

(It's not that the fs doesn't allow for special files -- it's that it's
distributed, but the semantics of AF_UNIX socket creation assume that it
isn't.)

> You create a plain file ~/.gnupg/S.gpg-agent with this content:
>
> %Assuan%
> socket=NAME
>
> Where NAME is the actual socket to use.  No white spaces are allowed,
> both lines must be terminated by a single linefeed, and extra lines are
> not allowed.  Environment variables are interpreted in NAME if given in
> '${VAR}' notation.

Useful! ... though this seems more likely to be *used* if it applied to
all assuan sockets at once, rather than one at a time.

(A good start on that would be to define an escape which expands to the
basename of the file itself, so you can just copy one file repeatedly to
handle the common case of moving the file to a different directory but
leaving its name the same, rather than having to modify each one to put
its own name in it.)

It seems to work much better now, though of course only assuan can
follow these links, so your SSH_AUTH_SOCK has to point at wherever you
pointed them, as does your ssh agent forwarding.

>                     No escape characters are defined; if the string '${'
> needs be used in file name, an environment variable with that content
> may be used.

Anyone actually doing *that* needs their head examined, but at least
it's allowed for! :)

-- 
NULL && (void)