<div dir="ltr"><div>Hi, <br></div><div><br></div><div>I spend quite sometime trying to set up gpg agent forwarding between two machines (running debian).</div><div>But I can't get this work with the instructions from the gpg wiki.</div><div>My ssh config:</div><div><br></div><div><pre><code>Host debian-remote
Hostname 192.168.122.72
RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra
ExitOnForwardFailure yes</code></pre></div><div><br></div><div><pre><code>$ ssh -v -A debian-remote
...
debug1: Remote connections from /run/user/1000/gnupg/S.gpg-agent:-2 forwarded to local address /run/user/1000/gnupg/S.gpg-agent.extra:-2
debug1: ssh_init_forwarding: expecting replies for 1 forwards
debug1: channel 0: new [client-session]
debug1: Requesting <a href="mailto:no-more-sessions@openssh.com">no-more-sessions@openssh.com</a>
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype <a href="mailto:hostkeys-00@openssh.com">hostkeys-00@openssh.com</a> want_reply 0
debug1: Remote: /home/debian/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/debian/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: remote forward success for: listen /run/user/1000/gnupg/S.gpg-agent:-2, connect /run/user/1000/gnupg/S.gpg-agent.extra:-2
debug1: forwarding_success: all expected forwarding replies received
debug1: Requesting authentication agent forwarding.
...
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Nov 3 18:45:13 2020 from 192.168.122.202
$
</code></pre></div><div>Looks OK, so far.</div><div><br></div><div><div class="gmail-votecell gmail-post-layout--left"><div class="gmail-js-voting-container gmail-grid gmail-jc-center gmail-fd-column gmail-ai-stretch gmail-gs4 gmail-fc-black-200">
</div>
</div>
<div class="gmail-postcell gmail-post-layout--right">
<div class="gmail-s-prose gmail-js-post-body">
<div>
<div class="gmail-grid gmail-fd-column gmail-fw-nowrap">
<div class="gmail-grid gmail-fw-nowrap">
<div class="gmail-grid--cell gmail-fl1 gmail-lh-lg">
<div class="gmail-grid--cell gmail-fl1 gmail-lh-lg">
<b>Closed.</b> This question does not meet <a href="https://stackoverflow.com/help/closed-questions">Stack Overflow guidelines</a>. It is not currently accepting answers.
</div>
</div>
</div>
</div>
<hr class="gmail-my12 gmail-outline-none gmail-baw0 gmail-bb gmail-bc-powder-400">
<div class="gmail-grid gmail-fw-nowrap gmail-fc-black-600">
<div class="gmail-grid--cell gmail-mr8">
</div></div></div></div></div><div class="gmail-grid gmail-fw-nowrap gmail-fc-black-600"><div class="gmail-grid--cell gmail-lh-md">
<p class="gmail-mb0">
We don’t allow questions about general computing
hardware and software on Stack Overflow. You can edit the question so
it’s <a href="https://stackoverflow.com/help/on-topic">on-topic</a> for Stack Overflow or <a href="https://superuser.com/help/on-topic">post a new one on Super User</a>.
</p>
<p class="gmail-mb0 gmail-mt6">Closed <span title="2020-11-03 20:11:17Z" class="gmail-relativetime">15 mins ago</span>.</p>
<p class="gmail-mb0 gmail-mt6 gmail-fs-fine gmail-fc-black-500">(Private feedback for you)</p>
</div>
</div>
<div class="gmail-mt24 gmail-grid gmail-gsx gmail-gs8">
</div><h2>Background</h2>
<p>I spent quite some time trying to solve this problem without success.
I have 2 Debian testing machine with GPG version:</p>
<pre><code>~$ gpg --version
gpg (GnuPG) 2.2.20
libgcrypt 1.8.6
</code></pre>
<p>GPG agent should be forwarded from one machine (local) to the other
(remote). On the local machine, I have the following settings:</p>
<pre><code>~$ cat .gnupg/gpg.conf
use-agent
pinentry-mode loopback
~$ cat .gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry
no-grab
default-cache-ttl 1800
enable-ssh-support
allow-loopback-pinentry
</code></pre>
<p>And also:</p>
<pre><code>Host debian-remote
Hostname 192.168.122.72
RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra
ExitOnForwardFailure yes
</code></pre>
<p>On the remote machine:</p>
<p>I set in <code>/etc/ssh/sshd_config</code>:</p>
<pre><code>StreamLocalBindUnlink yes
</code></pre>
<p>I copied over <code>pubring.kbx</code> with:</p>
<pre><code>scp .gnupg/pubring.kbx 192.168.122.72:/home/debian/.gnupg/
</code></pre>
<p>Finally, I created an encrypted file with and copied it over:</p>
<pre><code>$ echo TEST | gpg --encrypt -r myUserId > out
$ scp out debian-remote:~/out
</code></pre>
<p>When I ssh to remote machine, I see the following:</p>
<pre><code>$ ssh -v -A debian-remote
...
debug1: Remote connections from /run/user/1000/gnupg/S.gpg-agent:-2 forwarded to local address /run/user/1000/gnupg/S.gpg-agent.extra:-2
debug1: ssh_init_forwarding: expecting replies for 1 forwards
debug1: channel 0: new [client-session]
debug1: Requesting <a href="mailto:no-more-sessions@openssh.com">no-more-sessions@openssh.com</a>
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype <a href="mailto:hostkeys-00@openssh.com">hostkeys-00@openssh.com</a> want_reply 0
debug1: Remote: /home/debian/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/debian/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: remote forward success for: listen /run/user/1000/gnupg/S.gpg-agent:-2, connect /run/user/1000/gnupg/S.gpg-agent.extra:-2
debug1: forwarding_success: all expected forwarding replies received
debug1: Requesting authentication agent forwarding.
...
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Nov 3 18:45:13 2020 from 192.168.122.202
$
</code></pre>
<p>Seems OK so far.</p>
<p>However, I can't decrypt secrets using this agent:</p>
<pre><code>$ gpg --decrypt out
debug1: client_input_channel_open: ctype <a href="mailto:forwarded-streamlocal@openssh.com">forwarded-streamlocal@openssh.com</a> rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host /run/user/1000/gnupg/S.gpg-agent.extra ([unix]:/run/user/1000/gnupg/S.gpg-agent.extra) in progress, fd=7
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm <a href="mailto:forwarded-streamlocal@openssh.com">forwarded-streamlocal@openssh.com</a>
debug1: channel 1: connected to /run/user/1000/gnupg/S.gpg-agent.extra port -2
gpg: encrypted with 2048-bit RSA key, ID 268570EF8062F280, created 2013-11-23
...
gpg: public key decryption failed: Inappropriate ioctl for device
gpg: decryption failed: No secret key
</code></pre></div><div><br></div><div>When I forward the regular socket with:</div><div>
<pre><code>Host debian-remote
Hostname 192.168.122.72
RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent
ExitOnForwardFailure yes
</code></pre></div><div><br></div><div>I can decrypt secrets as expected. <br></div><div><p> However, I guess I should not be doing that.
Hence, I'm still struggling what should be done to allow decrypting with GPG agents and extra socket on the remote hosts.</p>
<p>Oddly, the above settings for <code>gpg.conf</code> and <code>gpg-agent.conf</code> are taken <a href="https://d.sb/2016/11/gpg-inappropriate-ioctl-for-device-errors" rel="nofollow noreferrer">from the first result on DDG</a> for: gpg Inappropriate ioctl for device, but I still get this error.</p></div><div>I would appreciate any help here.</div><div><br></div><div>Best regards,</div><div>Oz<br></div><br></div>