Recipe: GPG-agent forwarding

This is heavily inspired by https://wiki.gnupg.org/AgentForwarding but is going to be friendlier

Setup

You need at least GnuPG 2.1.1 on both systems. To find out which one you have, simply run

%> gpg --version

For this recipe you also need OpenSSH >= 6.7. (If you have a version older than that refer to the wiki article mentioned above.) To find out which one you have, simply run

%> sshd --version

Put your key on the remote

Assuming you have a local private gpg key, run

%> gpg --armor --export <KEYNAME> > <FILENAME>

Then copy the public key to the remote host.

Then, on the remote host, import it into gpg.

%> gpg --import <FILENAME>

More on this here: https://www.gnupg.org/gph/en/manual/x56.html

gpg-agent forwarding configuration

On the local machine $HOME/.gnupg/gpg-agent.conf and add

extra-socket /home/<user>/.gnupg/S.gpg-agent.extra
enable-ssh-support

I am not quite certain the enable-ssh-support is actually required but it worked for me and I did not try without it.

On the local machine, run:

%> gpgconf --list-dir agent-extra-socket

This is the CLIENT_SOCKET.

On the remote, run:

%> gpgconf --list-dir agent-socket

This is the REMOTE_SOCKET.

Edit ~/.ssh/config (you can tweak HOST for your own usage)

HOST *
    StreamLocalBindUnlink yes
    RemoteForward <REMOTE_SOCKET> <LOCAL_SOCKET>

Test it

Connect to the remote server via ssh. Run:

%> gpg --no-autostart -K

You should see your key.

Troubleshooting

This has been very flaky in my case so I have to fiddle with it every now and then. (I doubt that StreamLocalBindUnlink is not getting the job done.)

On the remote, run:

%> gpg --no-autostart -K

If you get no output or “gpg: no gpg-agent running in this session”, then run:

%> gpgconf --launch gpg-agent
%> gpgconf --kill gpg-agent

Log out / login and try again. In my case it works then.

To further debug and make sure your ssh agent is creating the socket file on the remote host, run:

%> ls -l <REMOTE_SOCKET>

and see if the timestamp is the current time (assuming you just connected).

Leave a Reply