Unable to RemoteForward Yubikey: gpg: error getting version from 'scdaemon': Forbidden

Ave Milia avemilia at protonmail.com
Thu Sep 3 02:13:48 CEST 2020


I am trying to forward gpg-agent from Windows (local) to Linux (remote) in order to use Yubikey in full capacity on the remote. That means I am able to encrypt, decrypt, sign with gpg key stored on the token, use ssh key stored on the token for authentication in remote's environment.

On Windows I am using win32-openssh 8.0 and gpg 2.2.22, with two additional tools (described below). On Linux I am using openssh 8.3p1 and gpg 2.2.21.


[0] allows key-based SSH authentication to be used (it connects gpg-agent and pageant), when SSH key is stored on Yubikey. It makes pinentry to ask for Yubikey PIN. SSH_AUTH_SOCK is set to "\\.\pipe\ssh-pageant" before launching the program. It is launched as so:

    PS C:\Users\avemilia> wsl-ssh-pageant-amd64.exe --winssh ssh-pageant
    2020/09/03 00:06:39 Listening on named pipe: \\.\pipe\ssh-pageant

and produces no errors. See [1][2] as tracking issues for this feature in gpg and win32-openssh.


[3] is a bridge between Unix sockets and TCP sockets, used both as a workaround for win32-openssh and gpg. Win32-openssh is unable to parse Windows paths in config and gpg is unable to communicate with Unix sockets. See [4] as tracking issue for this feature in win32-openssh, and perhaps [1] for gpg. Two instances are launched as so:

    PS C:\Users\avemilia> gpg-bridge.exe 127.0.0.1:<EXTRA_PORT> C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.extra

    PS C:\Users\avemilia> gpg-bridge.exe 127.0.0.1:<SSH_PORT> C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.ssh

and produce no errors. Both ports are in high numbers, working as intended.



This is the session I attempt, following instructions from [5]:

    PS C:\Users\avemilia> ssh pc
    <BANNER>
    Last login: Thu Sep  3 00:01:38 2020 from <LOCAL_IP>
    gpg-connect-agent: connection to agent is in restricted mode
    ❯ gpg --card-status
    gpg: error getting version from 'scdaemon': Forbidden
    gpg: selecting card failed: Forbidden
    gpg: OpenPGP card not available: Forbidden
    ❯
    Connection to <REMOTE_IP> closed.


/etc/ssh/sshd_config on remote:

    AllowUsers <USER>
    Port <EXTRA_PORT>
    ListenAddress <REMOTE_INTRANET_IP>
    AddressFamily inet
    Compression yes

    KexAlgorithms curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
    Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com

    LogLevel VERBOSE
    Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

    PermitRootLogin no
    PubkeyAuthentication yes
    PasswordAuthentication no
    KbdInteractiveAuthentication no
    AuthenticationMethods publickey
    UsePAM yes

    AuthorizedKeysFile .ssh/authorized_keys
    PrintMotd no # pam does that
    Banner /etc/issue
    StreamLocalBindUnlink yes


.ssh/config on local:

    User <USER>
    Host pc
        Hostname <REMOTE_IP>
        Port     <REMOTE_PORT>
        RemoteForward /run/user/1000/gnupg/S.gpg-agent      127.0.0.1:<EXTRA_PORT>
        RemoteForward /run/user/1000/gnupg/S.gpg-agent.ssh  127.0.0.1:<SSH_PORT>


[5] does not mention ssh-agent forwarding, but googling about the "forbidden" problem yielded [6] which says: "If only forwarding the “extra” socket, you’ll receive these errors", which are the errors I receive.

Thus I added ssh socket, but it didn't work out. This is the current state of the problem and I am stuck :(


This is how I [re]start gpg on remote before SSH session and stop after to collect logs:

    ❯ systemctl --user stop gpg-agent-browser.socket gpg-agent-extra.socket gpg-agent-ssh.socket gpg-agent.socket gpg-agent.service dirmngr.socket dirmngr.service
    ❯ systemctl --user start gpg-agent-browser.socket gpg-agent-extra.socket gpg-agent-ssh.socket gpg-agent.socket gpg-agent.service dirmngr.socket dirmngr.service
    ❯ systemctl --user stop gpg-agent-browser.socket gpg-agent-extra.socket gpg-agent-ssh.socket gpg-agent.socket gpg-agent.service dirmngr.socket dirmngr.service


This is how I [re]start gpg on local before SSH session and stop after to collect logs:
    PS C:\Users\avemilia> gpgconf --kill all
    PS C:\Users\avemilia> gpgconf --launch all
    PS C:\Users\avemilia> gpgconf --kill all



Below are logs and configs of gpg on local and remote in respect to these manipulations.

gpg-agent.log on remote:

2020-09-03 00:08:34 gpg-agent[785552] gpg-agent (GnuPG) 2.2.21 starting in supervised mode.
2020-09-03 00:08:34 gpg-agent[785552] using fd 3 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser)
2020-09-03 00:08:34 gpg-agent[785552] using fd 4 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra)
2020-09-03 00:08:34 gpg-agent[785552] using fd 5 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
2020-09-03 00:08:34 gpg-agent[785552] using fd 6 for std socket (/run/user/1000/gnupg/S.gpg-agent)
2020-09-03 00:08:34 gpg-agent[785552] listening on: std=6 extra=4 browser=3 ssh=5
2020-09-03 00:09:08 gpg-agent[785552] socket file has been removed - shutting down
2020-09-03 00:09:08 gpg-agent[785552] gpg-agent (GnuPG) 2.2.21 stopped
2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent'
2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent.extra'
2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent.browser'
2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent.ssh'
2020-09-03 00:15:58 gpg-agent[786613] gpg-agent (GnuPG) 2.2.21 started
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK Pleased to meet you, process 786610
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- RESET
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION ttyname=/dev/pts/13
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION ttytype=xterm-kitty
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION display=:0
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION xauthority=/home/ave/.Xauthority
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION lc-ctype=en_US.UTF-8
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION lc-messages=en_US.UTF-8
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- updatestartuptty
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- [eof]
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK Pleased to meet you, process 786711
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- RESET
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION ttyname=/dev/pts/13
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION ttytype=xterm-kitty
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION display=:0
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION xauthority=/home/ave/.Xauthority
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION lc-ctype=en_US.UTF-8
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION lc-messages=en_US.UTF-8
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- updatestartuptty
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- [eof]

(I have accidentally opened a new shell, so you will see [an irrelevant] updatestartuptty in the end)

gpg-agent.conf on remote:

    enable-ssh-support
    default-cache-ttl 60
    max-cache-ttl 120
    verbose
    debug-level advanced
    log-file /home/ave/.gnupg/gpg-agent.log


scdaemon.log on remote: absent

scdaemon.conf on remote:

    pcsc-driver /usr/lib/libpcsclite.so
    card-timeout 5
    disable-ccid
    verbose
    debug-level advanced
    log-file /home/ave/.gnupg/scdaemon.log


gpg.conf on remote:

    personal-cipher-preferences AES256 AES192 AES
    personal-digest-preferences SHA512 SHA384 SHA256
    personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
    default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
    cert-digest-algo SHA512
    s2k-digest-algo SHA512
    s2k-cipher-algo AES256
    charset utf-8
    fixed-list-mode
    no-comments
    no-emit-version
    no-greeting
    keyid-format 0xlong
    list-options show-uid-validity
    verify-options show-uid-validity
    with-fingerprint
    require-cross-certification
    no-symkey-cache
    use-agent
    throw-keyids


.zshrc on remote:

    export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
    export GPG_TTY=$(tty)
    gpgconf --create-socketdir
    gpg-connect-agent updatestartuptty /bye >/dev/null



gpg-agent.log on local:

2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent'
2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.extra'
2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.browser'
2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.ssh'
2020-09-03 00:05:30 gpg-agent[12992] gpg-agent (GnuPG) 2.2.22 started
2020-09-03 00:05:30 gpg-agent[12992] putty message loop thread started
2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 -> OK Pleased to meet you
2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 <- RESET
2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 -> OK
2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 <- [eof]
2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 -> OK Pleased to meet you
2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 <- RESET
2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 -> OK
2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 <- [eof]
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> OK Pleased to meet you
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 <- GETINFO pid
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> D 12992
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> OK
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 <- BYE
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> OK closing connection
2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 -> OK Pleased to meet you
2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 <- RESET
2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 -> OK
2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 <- [eof]
2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 -> OK Pleased to meet you
2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 <- RESET
2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 -> OK
2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 <- [eof]
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> OK Pleased to meet you
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 <- GETINFO pid
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> D 12992
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> OK
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 <- BYE
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> OK closing connection
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> OK Pleased to meet you
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c <- GETINFO pid
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> D 12992
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> OK
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c <- BYE
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> OK closing connection
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 -> OK Pleased to meet you
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 <- RESET
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 -> OK
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 <- NOP
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 -> OK
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 <- [eof]
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file 'WSLPageantRequest'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map handle 0x00000274
2020-09-03 00:08:56 gpg-agent[12992] DBG:           my sid: '<SID>'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file sid: '<SID>'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh IPC buffer at 0x00670000
2020-09-03 00:08:56 gpg-agent[12992] ssh request handler for request_identities (11) started
2020-09-03 00:08:56 gpg-agent[12992] no running SCdaemon - starting it
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK GNU Privacy Guard's Smartcard server ready
2020-09-03 00:08:56 gpg-agent[12992] DBG: first connection to SCdaemon established
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETINFO socket_name
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: additional connections at 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon'
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> OPTION event-signal=0x00000290
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SERIALNO
2020-09-03 00:08:56 gpg-agent[12992] SIGUSR2 received - updating card event counter
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETINFO card_list
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SERIALNO --demand=<SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETATTR $AUTHKEYID
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S $AUTHKEYID OPENPGP.3
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETATTR SERIALNO
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> READKEY OPENPGP.3
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_000002B8 <- [ 44 20 28 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XXX> byte(s) skipped) ]
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETATTR $DISPSERIALNO
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S $DISPSERIALNO <DISPSERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] ssh request handler for request_identities (11) ready
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> RESTART
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file 'WSLPageantRequest'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map handle 0x00000274
2020-09-03 00:08:56 gpg-agent[12992] DBG:           my sid: '<SID>'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file sid: '<SID>'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh IPC buffer at 0x00670000
2020-09-03 00:08:56 gpg-agent[12992] ssh request handler for sign_request (13) started
2020-09-03 00:08:56 gpg-agent[12992] new connection to SCdaemon established (reusing)
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SERIALNO --demand=<SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: detected card with S/N <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SETDATA <XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> PKAUTH OPENPGP.3
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_000002B8 <- [ 49 4e 51 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XX> byte(s) skipped) ]
2020-09-03 00:08:56 gpg-agent[12992] starting a new PIN Entry
2020-09-03 00:08:56 gpg-agent[12992] DBG: connection to PIN entry established
2020-09-03 00:09:05 gpg-agent[12992] DBG: chan_000002B8 -> [ 44 20 7e <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XX> byte(s) skipped) ]
2020-09-03 00:09:05 gpg-agent[12992] DBG: chan_0x000002b8 -> END
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_000002B8 <- [ 44 20 39 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XXX> byte(s) skipped) ]
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:09:08 gpg-agent[12992] ssh request handler for sign_request (13) ready
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x000002b8 -> RESTART
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> OK Pleased to meet you
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- RESET
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> OK
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- OPTION ttyname=/dev/pts/13
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- GETINFO restricted
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> OK
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- updatestartuptty
2020-09-03 00:09:08 gpg-agent[12992] command 'UPDATESTARTUPTTY' failed: Forbidden
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- [eof]
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK Pleased to meet you
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- RESET
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- OPTION ttyname=/dev/pts/13
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> ERR 67109115 Forbidden <GPG Agent>
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- GETINFO restricted
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- GETINFO version
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> D 2.2.22
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- OPTION allow-pinentry-notify
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> ERR 67109115 Forbidden <GPG Agent>
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- OPTION agent-awareness=2.1.0
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- SCD GETINFO version
2020-09-03 00:09:20 gpg-agent[12992] command 'SCD' failed: Forbidden
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> ERR 67109115 Forbidden <GPG Agent>
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- [eof]
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK Pleased to meet you
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- RESET
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- GETINFO scd_running
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- scd killscd
2020-09-03 00:09:32 gpg-agent[12992] new connection to SCdaemon established (reusing)
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 -> killscd
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 <- OK closing connection
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- [eof]
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 -> RESTART
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 <- [eof]
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 -> OK Pleased to meet you
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 <- RESET
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 -> OK
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 <- KILLAGENT
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 -> OK closing connection
2020-09-03 00:09:32 gpg-agent[12992] secmem usage: 0/32768 bytes in 0 blocks


gpg-agent.conf on local:

    enable-ssh-support
    enable-putty-support
    default-cache-ttl 60
    max-cache-ttl 120
    verbose
    debug-level advanced
    log-file C:\Users\avemilia\AppData\Roaming\gnupg\gpg-agent.log


scdaemon.log on local:

2020-09-03 00:08:56 scdaemon[5332] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon'
2020-09-03 00:08:56 scdaemon[5332] handler for fd -1 started
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK GNU Privacy Guard's Smartcard server ready
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETINFO socket_name
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- OPTION event-signal=0x00000290
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SERIALNO
2020-09-03 00:08:56 scdaemon[5332] detected reader 'Yubico Yubikey 4 OTP+U2F+CCID 0'
2020-09-03 00:08:56 scdaemon[5332] reader slot 0: not connected
2020-09-03 00:08:56 scdaemon[5332] reader slot 0: active protocol: T1
2020-09-03 00:08:56 scdaemon[5332] slot 0: ATR=[...]
2020-09-03 00:08:56 scdaemon[5332] AID: [...]
2020-09-03 00:08:56 scdaemon[5332] Historical Bytes: [...]
2020-09-03 00:08:56 scdaemon[5332] Version-2+ .....: yes
2020-09-03 00:08:56 scdaemon[5332] Extcap-v3 ......: no
2020-09-03 00:08:56 scdaemon[5332] Button .........: yes
2020-09-03 00:08:56 scdaemon[5332] SM-Support .....: no
2020-09-03 00:08:56 scdaemon[5332] Get-Challenge ..: no
2020-09-03 00:08:56 scdaemon[5332] Key-Import .....: yes
2020-09-03 00:08:56 scdaemon[5332] Change-Force-PW1: yes
2020-09-03 00:08:56 scdaemon[5332] Private-DOs ....: yes
2020-09-03 00:08:56 scdaemon[5332] Algo-Attr-Change: yes
2020-09-03 00:08:56 scdaemon[5332] Symmetric Crypto: no
2020-09-03 00:08:56 scdaemon[5332] KDF-Support ....: no
2020-09-03 00:08:56 scdaemon[5332] Max-Cert3-Len ..: 1216
2020-09-03 00:08:56 scdaemon[5332] Cmd-Chaining ...: yes
2020-09-03 00:08:56 scdaemon[5332] Ext-Lc-Le ......: no
2020-09-03 00:08:56 scdaemon[5332] Status-Indicator: 05
2020-09-03 00:08:56 scdaemon[5332] GnuPG-No-Sync ..: no
2020-09-03 00:08:56 scdaemon[5332] GnuPG-Def-PW2 ..: no
2020-09-03 00:08:56 scdaemon[5332] Key-Attr-sign ..: RSA, n=4096, e=17, fmt=std
2020-09-03 00:08:56 scdaemon[5332] Key-Attr-encr ..: RSA, n=4096, e=17, fmt=std
2020-09-03 00:08:56 scdaemon[5332] Key-Attr-auth ..: RSA, n=4096, e=17, fmt=std
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO <SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] triggering event 0x00000290 (0x00000290) for client -1
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETINFO card_list
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO <SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SERIALNO --demand=<SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO <SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETATTR $AUTHKEYID
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S $AUTHKEYID OPENPGP.3
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETATTR SERIALNO
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO <SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- READKEY OPENPGP.3
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_00000150 -> [ 44 20 28 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XXX> byte(s) skipped) ]
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETATTR $DISPSERIALNO
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S $DISPSERIALNO 000606330752
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- RESTART
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SERIALNO --demand=<SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO <SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SETDATA XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- PKAUTH OPENPGP.3
2020-09-03 00:08:56 scdaemon[5332] DBG: asking for PIN '||Please unlock the card%0A%0A
Number: XXXX XXXXXXXX%0AHolder: Ave Milia'
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_00000150 -> [ 49 4e 51 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XX> byte(s) skipped) ]
2020-09-03 00:09:05 scdaemon[5332] DBG: chan_00000150 <- [ 44 20 7e <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XX> byte(s) skipped) ]
2020-09-03 00:09:05 scdaemon[5332] DBG: chan_0x00000150 <- END
2020-09-03 00:09:08 scdaemon[5332] operation auth result: Success
2020-09-03 00:09:08 scdaemon[5332] DBG: chan_00000150 -> [ 44 20 39 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XXX> byte(s) skipped) ]
2020-09-03 00:09:08 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:09:08 scdaemon[5332] DBG: chan_0x00000150 <- RESTART
2020-09-03 00:09:08 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:09:32 scdaemon[5332] DBG: chan_0x00000150 <- killscd
2020-09-03 00:09:32 scdaemon[5332] DBG: chan_0x00000150 -> OK closing connection


scdaemon.conf on local:

    card-timeout 5
    verbose
    debug-level advanced
    log-file C:\Users\avemilia\AppData\Roaming\gnupg\scdaemon.log


gpg.conf on local: identical to remote


If you need any additional logs, e.g. ssh -v, or certain lines unredacted, I can provide them as well.

To summarize the problem: I want to forward gpg-agent, got "forbidden" errors, tried additionally forwarding gpg-ssh-agent and the errors are still present. No more ideas how to fix it.


[0] <https://github.com/benpye/wsl-ssh-pageant>
[1] <https://dev.gnupg.org/T3883>
[2] <https://github.com/PowerShell/Win32-OpenSSH/issues/827>
[3] <https://github.com/BusyJay/gpg-bridge>
[4] <https://github.com/PowerShell/Win32-OpenSSH/issues/1564>
[5] <https://wiki.gnupg.org/AgentForwarding>
[6] <https://blog.alt255.com/post/gpg_forwarding/>



More information about the Gnupg-users mailing list