Why doesn't gpg-agent forwarding work?

Thomas Glanzmann thomas at glanzmann.de
Tue Oct 18 21:58:12 CEST 2016


Hello Kevin,

> Thanks for the advice. But as I mentioned, I tried using GnuPG 2.1.15
> on the target machine as well (via the packages in Debian sid), and
> this did not work. gpg2 is simply not speaking to the forwarded
> gpg-agent socket, however gpg-connect-agent can. Any other ideas?

Check your configuration (gpg-agent.conf and gpg.conf). You have to put
this two files on the remote and local machine. Also Understand how gpg
2.1.x interacts with gnupg from the diagram below. Enable debugging in
the gpg agent.

Forward GPG socket
------------------
# On the server
echo 'StreamLocalBindUnlink yes' >> /etc/ssh/sshd_config
sudo /etc/init.d/ssh restart

# On the client
ssh -R /home/sithglan/.gnupg/S.gpg-agent:/home/sithglan/.gnupg/S.gpg-agent-extra gmvl.de

List secret keys
----------------
gpg-connect-agent "keyinfo --list" /bye

GPG Agent Configuration
-----------------------
.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry
extra-socket /home/sithglan/.gnupg/S.gpg-agent-extra
enable-ssh-support
default-cache-ttl 600
max-cache-ttl 7200
keep-tty
keep-display
# debug-level guru
# debug-all
# log-file /tmp/gpg-agent.log

Remote GPG Setup
----------------
# Achtung vorher Backup machen
rm .gnupg/secring* .gnupg/pubring* .gnupg/private-keys-v1.d/*
# For every public key
gpg2 --recv-key 0x9D106472D6D50DBA
gpg2 --recv-key 0x03BF970657E19B02

# After that private keys should be listed
gpg2 -K

cat <<EOF > .gnupg/gpg.conf
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options no-honor-keyserver-url
cert-digest-algo SHA512
no-greeting
lock-once
default-key 1DD3BBDC897A94CD03F451B09D106472D6D50DBA
encrypt-to 1DD3BBDC897A94CD03F451B09D106472D6D50DBA
keyid-format 0xlong
use-agent
with-fingerprint
quiet
default-recipient-self
no-secmem-warning
keyserver-options auto-key-retrieve
no-auto-check-trustdb
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
EOF

GNUPG Interaction
-----------------

Here are steps and the interaction.

(1) here are the processes
 [gpgme]----[gpg]====[gpg-agent]----[scdaemon]
                  ^--- possibly by forwarded socket

(2) A client program (Mutt, in your case) asks decryption through gpgme
       decrypt
 [gpgme]--->[gpg]----[gpg-agent]----[scdaemon]

(3) it goes to scdaemon
               decrypt
 [gpgme]----[gpg]--->[gpg-agent]----[scdaemon]

                              decrypt
 [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]

(4) if the token is not authenticated yet,
    scdaemon asks a user PIN back through gpg-agent
                               "PIN please"
 [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]


(5) Then, gpg-agent invokes pinentry.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
            [pinentry]<---/

(6) pinentry pops up GUI dialog window to user.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
  User <----[pinentry]----/

(7) User inputs PIN by the dialog.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
  User ---->[pinentry]----/
        PIN

 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          ^
            [pinentry]----/
                      PIN

                                PIN
 [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]

(8) scdaemon sends the pin to the token to authenticate.
                                              PIN
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]

(9) Token is ready to decrypt, now.
    scdaemon sends encrypted message to the token.
                                              decrypt
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]

(10) token replies back by decrypted message.... to gpgme.
                                            decrypted
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]<--[token]

                                decrypted
 [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]

                 decrypted
 [gpgme]----[gpg]<---[gpg-agent]----[scdaemon]

       decrypted
 [gpgme]<---[gpg]----[gpg-agent]----[scdaemon]

Cheers,
        Thomas



More information about the Gnupg-users mailing list