On 12/04/2014 01:23 AM, Werner Koch wrote: > On Tue, 11 Nov 2014 18:35, m...@monaco.cx said: >> Does anyone have gpg-agent forwarding working with SSH's recent generic >> socket >> forwarding? Does it still require socat on one end, because I've only been >> able >> to specify a socket path on the left-hand side of the forwarding >> specification > > Yes, it works for me. However, I tested it with the current development > version of 2.1 which adds an extra features: > > --extra-socket NAME > Also listen on native gpg-agent connections on the given > socket. The intended use for this extra socket is to > setup a Unix domain socket forwarding from a remote > machine to this socket on the local machine. A gpg > running on the remote machine may then connect to the > local gpg-agent and use its private keys. This allows to > decrypt or sign data on a remote machine without exposing > the private keys to the remote machine. > > The documentation on how to use Unix domain sockets with ssh is a bit > sparse. You probably want to use "-o StreamLocalBindUnlink=yes" when > connecting to the remote host and you have to enable the forwarding > features (look for Stream* options). >
Hey, thanks for the info! Just to follow up, I was able to get it working with e.g: ssh <host> \ -R <remote-homedir>/.gnupg/S.gpg-agent:<local-homedir>/.gnuppg/S.gpg-agent However, this only works when the private material is in private-keys-v1.d; it doesn't work with a smartcard =/ -oStreamLocalBindUnlick doesn't work either. I need to remove the socket on the remote end manually. And finally, I don't understand where --extra-socket comes into play here. In the 2.1.1 release notes, you say it supports a restricted command set. Is there a security risk, or is it just to prevent mistakes? Also, is the expected use then to forward S.gpg-agent on the remote end to e.g., S.gpg-agent-extra on the local, or should the remote end have a different name as well? -Matt
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
