Mailing List Archive

How to make remote gpg talk to specific Unix socket (for forwarded local gpg-agent)
Hi,

I was wondering if you could give me a pointer.

I'm ssh'ing to a machine where I'm trying to run gpg, which I hope to
talk to the gpg-agent that's running on my local laptop, forwarded
through ssh.
I'm following the instructions at https://wiki.gnupg.org/AgentForwarding
but I don't know how to make gpg use a specific Unix socket to
communicate with my forwarded gpg-agent.

The problem is that there's already a gpg-agent running at the remote (I
think started by systemd or the X server), which I don't want to
disturb.  For my ssh connection, I try to create a new Unix domain
socket by using
    ssh -R
/run/user/1000/gnupg/S.gpg-agent.remote:/Users/troy/.gnupg/S.gpg-agent.extra
-o StreamLocalBindUnlink=yes -o ExitOnForwardFailure=yes

But then how do I make gpg use/run/user/1000/gnupg/S.gpg-agent.remote . 
It seems that gpg uses gpgconf to figure out that path. And there's no
flag or envvar that I can use to override that (anymore).

The only thing I can think of is to specify a new --homedir so that the
socket is created elsewhere, and then I'd have to change the port
forwarding to reflect the dynamically-generated path which will look
something like /run/user/1000/gnupg/d.xhmoxiusfxtwuy8s69hkyxtc .  So
either I have to do two separate ssh calls or I have to use an expect
script to automate the addition of port forwarding on an existing
session.  Plus, now the homedir is different and all my files are in the
wrong place.

I hope I'm missing something obvious.  Thanks for any ideas.

I'm using:
- Ubuntu 22.04.1 LTS
- gpg (GnuPG) 2.2.27
- OpenSSH_8.9p1 Ubuntu-3ubuntu0.1, OpenSSL 3.0.2 15 Mar 2022

Troy
Re: How to make remote gpg talk to specific Unix socket (for forwarded local gpg-agent) [ In reply to ]
On Mon, 16 Jan 2023 07:56, Troy said:

> The problem is that there's already a gpg-agent running at the remote
> (I think started by systemd or the X server), which I don't want to
> disturb.  For my ssh connection, I try to create a new Unix domain

Don't run the gpg-agent for your account. I put

no-autostart

into ~/.gnupg/common.conf to avoid that any tools on the remote start
the gpg-agent. Of course you need to disable the systemd stuff to
autostart gpg-agent - using systemd for autostart is deprecated because
it creates races.

iirc, the wiki says that you should put

StreamLocalBindUnlink yes

into the sshd_config. I prefer to manually delete the socket using

ssh remote "rm $(gpgconf -L agent-socket)"

if the connection does not work. I have this in ~/.ssh/config

Host remote
RemoteForward /run/user/1042/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra

(1042 is my uid on remote).

Then you just need to "ssh remote"

> - gpg (GnuPG) 2.2.27

Well, the single common option no-autostart is only available in stable
(since 2.3.8)


Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein