symmetric passphrase with remote (extra, restricted) gpg-agent

Marcin Wrochna mwrochna at gmail.com
Fri Feb 23 22:59:57 CET 2024


Hi!

I'm using gpg remotely over ssh by forwarding my local
agent-extra-socket as my remote's regular agent-socket. I use it with
a (local) nitrokey mostly without problems for signing:
on the remote I can use `gpg --sign`, it asks for the PIN with a GUI
pinentry popping up
on my local desktop and even uses it with the local nitrokey card.

However, I cannot make `gpg --symmetric` encryption work on the remote,
as it tells me getting a passphrase is "Forbidden".
Is it possible at all?
I can't find any documentation about what is actually 'restricted' by
the restricted mode of the extra socket.
Or must I use two agents (one forwarded, one local to the remote), and
if so, is there any guide as to how to do that?
I don't care much about passphrase cache, I just want to encrypt a
file by entering a passphrase with whatever pinentry.

Thanks for any pointers,
Marcin

--- Logs -----
Local gpg version: 2.4.3, Remote gpg version: 2.2.27

Remote output:
```
$ gpg -vvv --symmetric tmp.txt
gpg: using character set 'utf-8'
gpg: connection to agent is in restricted mode
gpg: problem with the agent: Forbidden
gpg: error creating passphrase: Operation cancelled
gpg: symmetric encryption of 'tmp.txt' failed: Operation cancelled
```

Local gpg-agent logs when trying from remote:
```
2024-02-23 22:11:07 gpg-agent[132208]DBG: chan_10 -> OK Pleased to
meet you, process 132243
<- RESET
-> OK
<- OPTION ttyname=/dev/pts/7
-> ERR 67109115 Forbidden <GPG Agent>
<- GETINFO restricted
-> OK
<- GETINFO version
-> D 2.4.3
-> OK
<- OPTION allow-pinentry-notify
-> ERR 67109115 Forbidden <GPG Agent>
<- OPTION agent-awareness=2.1.0
-> OK
<- GETINFO s2k_count
S2K calibration: 44149760 -> 101ms
-> D 44149760
-> OK
<- GETINFO cmd_has_option GET_PASSPHRASE repeat
-> OK
<- GETINFO cmd_has_option GET_PASSPHRASE newsymkey
-> OK
<- GET_PASSPHRASE --data --repeat=1 --check --newsymkey --
SE3EC318CC514D3C1 X X Enter+passphrase%0A
command 'GET_PASSPHRASE' failed: Forbidden
-> ERR 67109115 Forbidden <GPG Agent>
<- [eof]
```

Local gpg-agent logs when doing gpg --symmetric locally:
```
2024-02-23 22:44:48 gpg-agent[132208] DBG: chan_10 -> OK Pleased to
meet you, process 134008
<- RESET
-> OK
<- OPTION ttyname=/dev/pts/7
-> OK
<- OPTION ttytype=xterm-256color
-> OK
<- OPTION display=:0
-> OK
<- OPTION xauthority=/run/user/1000/xauth_hZahio
-> OK
<- OPTION putenv=XMODIFIERS=@im=none
-> OK
<- OPTION putenv=WAYLAND_DISPLAY=wayland-0
 -> OK
<- OPTION putenv=XDG_SESSION_TYPE=wayland
-> OK
<- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
-> OK
<- OPTION lc-ctype=en_US.UTF-8
-> OK
<- OPTION lc-messages=en_US.UTF-8
-> OK
<- GETINFO version
-> D 2.4.3
-> OK
<- OPTION allow-pinentry-notify
-> OK
<- OPTION agent-awareness=2.1.0
-> OK
<- GETINFO s2k_count
-> D 44149760
-> OK
<- GETINFO cmd_has_option GET_PASSPHRASE repeat
-> OK
<- GETINFO cmd_has_option GET_PASSPHRASE newsymkey
-> OK
<- GET_PASSPHRASE --data --repeat=1 --check --newsymkey --
S545B95646F9BD365 X X Enter+passphrase%0A
agent_get_cache 'S545B95646F9BD365'.0 (mode 3) ...
... miss
starting a new PIN Entry
connection to PIN entry established
-> INQUIRE PINENTRY_LAUNCHED 134010 qt 1.2.1 /dev/pts/7 xterm-256color
:0 20620/1000/5 1000/1000 0
<- END
starting a new PIN Entry
connection to PIN entry established
-> INQUIRE PINENTRY_LAUNCHED 134027 qt 1.2.1 /dev/pts/7 xterm-256color
:0 20620/1000/5 1000/1000 0
<- END
agent_put_cache 'S545B95646F9BD365'.0 (mode 3) requested ttl=0
-> [[Confidential data not shown]]
-> OK
<- [eof]
```



More information about the Gnupg-users mailing list