Why doesn't gpg-agent forwarding work?

Kevin Gallagher kevin at z.cash
Sun Oct 23 09:34:14 CEST 2016 

Ok, I figured out the cause of the problem I was having. As is indicated
in your message, one must have the corresponding public keys in the
remote keyring before the secret keys from the forwarded gpg-agent are
listed as available.

Thank you Thomas. I hope others will find this useful.


On 10/18/2016 12:58 PM, Thomas Glanzmann wrote:
> Hello Kevin,
>
>> Thanks for the advice. But as I mentioned, I tried using GnuPG 2.1.15
>> on the target machine as well (via the packages in Debian sid), and
>> this did not work. gpg2 is simply not speaking to the forwarded
>> gpg-agent socket, however gpg-connect-agent can. Any other ideas?
> Check your configuration (gpg-agent.conf and gpg.conf). You have to put
> this two files on the remote and local machine. Also Understand how gpg
> 2.1.x interacts with gnupg from the diagram below. Enable debugging in
> the gpg agent.
>
> Forward GPG socket
> ------------------
> # On the server
> echo 'StreamLocalBindUnlink yes' >> /etc/ssh/sshd_config
> sudo /etc/init.d/ssh restart
>
> # On the client
> ssh -R /home/sithglan/.gnupg/S.gpg-agent:/home/sithglan/.gnupg/S.gpg-agent-extra gmvl.de
>
> List secret keys
> ----------------
> gpg-connect-agent "keyinfo --list" /bye
>
> GPG Agent Configuration
> -----------------------
> .gnupg/gpg-agent.conf
> pinentry-program /usr/bin/pinentry
> extra-socket /home/sithglan/.gnupg/S.gpg-agent-extra
> enable-ssh-support
> default-cache-ttl 600
> max-cache-ttl 7200
> keep-tty
> keep-display
> # debug-level guru
> # debug-all
> # log-file /tmp/gpg-agent.log
>
> Remote GPG Setup
> ----------------
> # Achtung vorher Backup machen
> rm .gnupg/secring* .gnupg/pubring* .gnupg/private-keys-v1.d/*
> # For every public key
> gpg2 --recv-key 0x9D106472D6D50DBA
> gpg2 --recv-key 0x03BF970657E19B02
>
> # After that private keys should be listed
> gpg2 -K
>
> cat <<EOF > .gnupg/gpg.conf
> keyserver hkps://hkps.pool.sks-keyservers.net
> keyserver-options no-honor-keyserver-url
> cert-digest-algo SHA512
> no-greeting
> lock-once
> default-key 1DD3BBDC897A94CD03F451B09D106472D6D50DBA
> encrypt-to 1DD3BBDC897A94CD03F451B09D106472D6D50DBA
> keyid-format 0xlong
> use-agent
> with-fingerprint
> quiet
> default-recipient-self
> no-secmem-warning
> keyserver-options auto-key-retrieve
> no-auto-check-trustdb
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
> EOF
>
> GNUPG Interaction
> -----------------
>
> Here are steps and the interaction.
>
> (1) here are the processes
>  [gpgme]----[gpg]====[gpg-agent]----[scdaemon]
>                   ^--- possibly by forwarded socket
>
> (2) A client program (Mutt, in your case) asks decryption through gpgme
>        decrypt
>  [gpgme]--->[gpg]----[gpg-agent]----[scdaemon]
>
> (3) it goes to scdaemon
>                decrypt
>  [gpgme]----[gpg]--->[gpg-agent]----[scdaemon]
>
>                               decrypt
>  [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]
>
> (4) if the token is not authenticated yet,
>     scdaemon asks a user PIN back through gpg-agent
>                                "PIN please"
>  [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]
>
>
> (5) Then, gpg-agent invokes pinentry.
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
>                           |
>             [pinentry]<---/
>
> (6) pinentry pops up GUI dialog window to user.
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
>                           |
>   User <----[pinentry]----/
>
> (7) User inputs PIN by the dialog.
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
>                           |
>   User ---->[pinentry]----/
>         PIN
>
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
>                           ^
>             [pinentry]----/
>                       PIN
>
>                                 PIN
>  [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]
>
> (8) scdaemon sends the pin to the token to authenticate.
>                                               PIN
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]
>
> (9) Token is ready to decrypt, now.
>     scdaemon sends encrypted message to the token.
>                                               decrypt
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]
>
> (10) token replies back by decrypted message.... to gpgme.
>                                             decrypted
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]<--[token]
>
>                                 decrypted
>  [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]
>
>                  decrypted
>  [gpgme]----[gpg]<---[gpg-agent]----[scdaemon]
>
>        decrypted
>  [gpgme]<---[gpg]----[gpg-agent]----[scdaemon]
>
> Cheers,
>         Thomas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161023/26217d90/attachment-0001.html>

More information about the Gnupg-users mailing list