Forwarding gpg-agent Over SSH
2021-12-27 | #git #gpg #unix #linux #ssh
Intro
Basic notes from setting up gpg-agent forwarding[1] between a MacOS and Debian Linux system.
1: https://wiki.gnupg.org/AgentForwarding
Client System
Assuming system is running MacOS install gpg[2] and pinentry (GPG password prompt tool) using Homebrew[3],
Edit `~/.gnupg/gpg-agent.conf` and make sure that ${HOME} is the full path to your users home dir, eg `/Users/$USER`, this must match what's setup in `RemoteForward` later,
`~/.gnupg/gpg.conf` (where `$GPG_KEY` is the fingerprint of the GPG key to use)
Edit `~/.ssh/config` and setup a `RemoteForward`, this is important since the forward is required in order to communicate over a socket. Make sure the `$UID` and `$USER` on the remote and local system are set accordingly, as these will differ depending on the OS and login.
Also double check the socket names that they match up from `~/.gnupg/gpg-agent.conf` and `~/.ssh/config`.
`~/.ssh/config`
Remote System
Update `/etc/ssh/sshd_config` (or wherever it is depending on your OS) configuration to include `StreamLocalBindUnlink yes` and restart `sshd` This option will,
Specifies whether to remove an existing Unix-domain socket file for local or remote port forwarding before creating a new one. If the socket file already exists and StreamLocalBindUnlink is not enabled, ssh will be unable to forward the port to the Unix-domain socket file. This option is only used for port forwarding to a Unix-domain socket file.
Troubleshooting gpg-agent
Sometimes `StreamLocalBindUnlink yes` doesn't work and the client agent needs restarted and sockets removed from the remote system,
Restart the agent on the client system,
Remove the socket on the remote system,
ssh back into the remote system and gpg-agent forwarding should work again.
References
- Remote gpg-agent Via ssh Forwarding[4]
4: https://web.archive.org/web/20190423113837/https://www.isi.edu/~calvin/gpgagent.htm
Tags
____________________________________________________________________