Why doesn't gpg-agent forwarding work?
Stephan Beck
stebe at mailbox.org
Wed Oct 19 00:21:00 CEST 2016
Hi Kevin,
Kevin Gallagher:
> Hi all,
>
> I've tried to get this working to no avail. I've consulted past postings
> to this list as well as various online references. Some people seem to
> have got this to work, but most seem to have trouble. I would appreciate
> any guidance or help anyone can offer.
>
> I want my gpg-agent to be shared with another host, specifically a
> Vagrant/VirtualBox virtual machine, via Unix socket forwarding, which is
> a feature that arrived with OpenSSH 6.7. I can get my gpg-agent's socket
> forwarded, and I can talk to it with gpg-connect-agent, and even obtain
> a list of keygrips for the keys residing on the local machine. However,
> the forwarded gpg-agent socket does not seem to interface with the GPG
> CLI utility, i.e. running `gpg2 --use-agent --list-keys` shows nothing.
Have you considered adding the debug flag to the command (--debug-level
expert)?
>
> This is important because I'm in the process of developing a
> deterministic build environment for a project, and many of us prefer to
> use smartcards or YubiKeys, so copying our secret keys into the VM is
> not an option. The ability to forward the local gpg-agent into the VM
> for signing operations would be very convenient.
>
> GPG version on host: 2.1.15 (Debian stretch)
> GPG version on VM: 2.0.26 (Debian jessie)
> Setting some environment variables in the VM does not help:
>
> GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:0:1
> GPG_SOCK=/home/vagrant/.gnupg/S.gpg-agent
> GPG_TTY=/dev/pts/1
And if you'd try to add this to the VM's .bashrc file via ssh/scp
(assuming that the Vagrant's VM is headless and has a bash)
if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
export SSH_AGENT_PID
fi
Wouldn't that start the "target shell" (forcibly) with the agent being
fired up and all ready for sshing?
Cheers
Stephan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161018/9ddb9d2d/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161018/9ddb9d2d/attachment.sig>
More information about the Gnupg-users
mailing list