GPG agent forward on Debian: setting pinentry mode 'loopback' failed: Forbidden

Oz Tiram oz.tiram at gmail.com
Tue Nov 3 21:29:23 CET 2020


Hi,

I spend quite sometime trying to set up gpg agent forwarding between two
machines (running debian).
But I can't get this work with the instructions from the gpg wiki.
My ssh config:

Host debian-remote
    Hostname 192.168.122.72
    RemoteForward /run/user/1000/gnupg/S.gpg-agent
/run/user/1000/gnupg/S.gpg-agent.extra
    ExitOnForwardFailure yes


$ ssh -v -A debian-remote
...
debug1: Remote connections from /run/user/1000/gnupg/S.gpg-agent:-2
forwarded to local address /run/user/1000/gnupg/S.gpg-agent.extra:-2
debug1: ssh_init_forwarding: expecting replies for 1 forwards
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00 at openssh.com want_reply 0
debug1: Remote: /home/debian/.ssh/authorized_keys:1: key options:
agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/debian/.ssh/authorized_keys:1: key options:
agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: remote forward success for: listen
/run/user/1000/gnupg/S.gpg-agent:-2, connect
/run/user/1000/gnupg/S.gpg-agent.extra:-2
debug1: forwarding_success: all expected forwarding replies received
debug1: Requesting authentication agent forwarding.
...
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Nov  3 18:45:13 2020 from 192.168.122.202
$

Looks OK, so far.

*Closed.* This question does not meet Stack Overflow guidelines
<https://stackoverflow.com/help/closed-questions>. It is not currently
accepting answers.
------------------------------

We don’t allow questions about general computing hardware and software on
Stack Overflow. You can edit the question so it’s on-topic
<https://stackoverflow.com/help/on-topic> for Stack Overflow or post a new
one on Super User <https://superuser.com/help/on-topic>.

Closed 15 mins ago.

(Private feedback for you)
Background

I spent quite some time trying to solve this problem without success. I
have 2 Debian testing machine with GPG version:

~$ gpg --version
gpg (GnuPG) 2.2.20
libgcrypt 1.8.6

GPG agent should be forwarded from one machine (local) to the other
(remote). On the local machine, I have the following settings:

~$ cat .gnupg/gpg.conf
use-agent
pinentry-mode loopback
~$ cat .gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry
no-grab
default-cache-ttl 1800
enable-ssh-support
allow-loopback-pinentry

And also:

Host debian-remote
    Hostname 192.168.122.72
    RemoteForward /run/user/1000/gnupg/S.gpg-agent
/run/user/1000/gnupg/S.gpg-agent.extra
    ExitOnForwardFailure yes

On the remote machine:

I set in /etc/ssh/sshd_config:

StreamLocalBindUnlink yes

I copied over pubring.kbx with:

scp .gnupg/pubring.kbx 192.168.122.72:/home/debian/.gnupg/

Finally, I created an encrypted file with and copied it over:

$ echo TEST | gpg --encrypt -r myUserId > out
$ scp out debian-remote:~/out

When I ssh to remote machine, I see the following:

$ ssh -v -A debian-remote
...
debug1: Remote connections from /run/user/1000/gnupg/S.gpg-agent:-2
forwarded to local address /run/user/1000/gnupg/S.gpg-agent.extra:-2
debug1: ssh_init_forwarding: expecting replies for 1 forwards
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00 at openssh.com want_reply 0
debug1: Remote: /home/debian/.ssh/authorized_keys:1: key options:
agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/debian/.ssh/authorized_keys:1: key options:
agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: remote forward success for: listen
/run/user/1000/gnupg/S.gpg-agent:-2, connect
/run/user/1000/gnupg/S.gpg-agent.extra:-2
debug1: forwarding_success: all expected forwarding replies received
debug1: Requesting authentication agent forwarding.
...
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Nov  3 18:45:13 2020 from 192.168.122.202
$

Seems OK so far.

However, I can't decrypt secrets using this agent:

$ gpg --decrypt out
debug1: client_input_channel_open: ctype
forwarded-streamlocal at openssh.com rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request:
/run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host /run/user/1000/gnupg/S.gpg-agent.extra
([unix]:/run/user/1000/gnupg/S.gpg-agent.extra) in progress, fd=7
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal at openssh.com
debug1: channel 1: connected to /run/user/1000/gnupg/S.gpg-agent.extra port -2
gpg: encrypted with 2048-bit RSA key, ID 268570EF8062F280, created 2013-11-23
    ...
gpg: public key decryption failed: Inappropriate ioctl for device
gpg: decryption failed: No secret key


When I forward the regular socket with:

Host debian-remote
    Hostname 192.168.122.72
    RemoteForward /run/user/1000/gnupg/S.gpg-agent
/run/user/1000/gnupg/S.gpg-agent
    ExitOnForwardFailure yes


I can decrypt secrets as expected.

However, I guess I should not be doing that. Hence, I'm still struggling
what should be done to allow decrypting with GPG agents and extra socket on
the remote hosts.

Oddly, the above settings for gpg.conf and gpg-agent.conf are taken from
the first result on DDG
<https://d.sb/2016/11/gpg-inappropriate-ioctl-for-device-errors> for: gpg
Inappropriate ioctl for device, but I still get this error.
I would appreciate any help here.

Best regards,
Oz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201103/ad651170/attachment.html>


More information about the Gnupg-users mailing list