Unable to RemoteForward Yubikey: gpg: error getting version from 'scdaemon': Forbidden
Ave Milia
avemilia at protonmail.com
Thu Sep 3 02:13:48 CEST 2020
I am trying to forward gpg-agent from Windows (local) to Linux (remote) in order to use Yubikey in full capacity on the remote. That means I am able to encrypt, decrypt, sign with gpg key stored on the token, use ssh key stored on the token for authentication in remote's environment.
On Windows I am using win32-openssh 8.0 and gpg 2.2.22, with two additional tools (described below). On Linux I am using openssh 8.3p1 and gpg 2.2.21.
[0] allows key-based SSH authentication to be used (it connects gpg-agent and pageant), when SSH key is stored on Yubikey. It makes pinentry to ask for Yubikey PIN. SSH_AUTH_SOCK is set to "\\.\pipe\ssh-pageant" before launching the program. It is launched as so:
PS C:\Users\avemilia> wsl-ssh-pageant-amd64.exe --winssh ssh-pageant
2020/09/03 00:06:39 Listening on named pipe: \\.\pipe\ssh-pageant
and produces no errors. See [1][2] as tracking issues for this feature in gpg and win32-openssh.
[3] is a bridge between Unix sockets and TCP sockets, used both as a workaround for win32-openssh and gpg. Win32-openssh is unable to parse Windows paths in config and gpg is unable to communicate with Unix sockets. See [4] as tracking issue for this feature in win32-openssh, and perhaps [1] for gpg. Two instances are launched as so:
PS C:\Users\avemilia> gpg-bridge.exe 127.0.0.1:<EXTRA_PORT> C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.extra
PS C:\Users\avemilia> gpg-bridge.exe 127.0.0.1:<SSH_PORT> C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.ssh
and produce no errors. Both ports are in high numbers, working as intended.
This is the session I attempt, following instructions from [5]:
PS C:\Users\avemilia> ssh pc
<BANNER>
Last login: Thu Sep 3 00:01:38 2020 from <LOCAL_IP>
gpg-connect-agent: connection to agent is in restricted mode
❯ gpg --card-status
gpg: error getting version from 'scdaemon': Forbidden
gpg: selecting card failed: Forbidden
gpg: OpenPGP card not available: Forbidden
❯
Connection to <REMOTE_IP> closed.
/etc/ssh/sshd_config on remote:
AllowUsers <USER>
Port <EXTRA_PORT>
ListenAddress <REMOTE_INTRANET_IP>
AddressFamily inet
Compression yes
KexAlgorithms curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
LogLevel VERBOSE
Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
AuthenticationMethods publickey
UsePAM yes
AuthorizedKeysFile .ssh/authorized_keys
PrintMotd no # pam does that
Banner /etc/issue
StreamLocalBindUnlink yes
.ssh/config on local:
User <USER>
Host pc
Hostname <REMOTE_IP>
Port <REMOTE_PORT>
RemoteForward /run/user/1000/gnupg/S.gpg-agent 127.0.0.1:<EXTRA_PORT>
RemoteForward /run/user/1000/gnupg/S.gpg-agent.ssh 127.0.0.1:<SSH_PORT>
[5] does not mention ssh-agent forwarding, but googling about the "forbidden" problem yielded [6] which says: "If only forwarding the “extra” socket, you’ll receive these errors", which are the errors I receive.
Thus I added ssh socket, but it didn't work out. This is the current state of the problem and I am stuck :(
This is how I [re]start gpg on remote before SSH session and stop after to collect logs:
❯ systemctl --user stop gpg-agent-browser.socket gpg-agent-extra.socket gpg-agent-ssh.socket gpg-agent.socket gpg-agent.service dirmngr.socket dirmngr.service
❯ systemctl --user start gpg-agent-browser.socket gpg-agent-extra.socket gpg-agent-ssh.socket gpg-agent.socket gpg-agent.service dirmngr.socket dirmngr.service
❯ systemctl --user stop gpg-agent-browser.socket gpg-agent-extra.socket gpg-agent-ssh.socket gpg-agent.socket gpg-agent.service dirmngr.socket dirmngr.service
This is how I [re]start gpg on local before SSH session and stop after to collect logs:
PS C:\Users\avemilia> gpgconf --kill all
PS C:\Users\avemilia> gpgconf --launch all
PS C:\Users\avemilia> gpgconf --kill all
Below are logs and configs of gpg on local and remote in respect to these manipulations.
gpg-agent.log on remote:
2020-09-03 00:08:34 gpg-agent[785552] gpg-agent (GnuPG) 2.2.21 starting in supervised mode.
2020-09-03 00:08:34 gpg-agent[785552] using fd 3 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser)
2020-09-03 00:08:34 gpg-agent[785552] using fd 4 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra)
2020-09-03 00:08:34 gpg-agent[785552] using fd 5 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
2020-09-03 00:08:34 gpg-agent[785552] using fd 6 for std socket (/run/user/1000/gnupg/S.gpg-agent)
2020-09-03 00:08:34 gpg-agent[785552] listening on: std=6 extra=4 browser=3 ssh=5
2020-09-03 00:09:08 gpg-agent[785552] socket file has been removed - shutting down
2020-09-03 00:09:08 gpg-agent[785552] gpg-agent (GnuPG) 2.2.21 stopped
2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent'
2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent.extra'
2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent.browser'
2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent.ssh'
2020-09-03 00:15:58 gpg-agent[786613] gpg-agent (GnuPG) 2.2.21 started
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK Pleased to meet you, process 786610
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- RESET
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION ttyname=/dev/pts/13
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION ttytype=xterm-kitty
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION display=:0
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION xauthority=/home/ave/.Xauthority
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION lc-ctype=en_US.UTF-8
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION lc-messages=en_US.UTF-8
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- updatestartuptty
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- [eof]
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK Pleased to meet you, process 786711
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- RESET
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION ttyname=/dev/pts/13
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION ttytype=xterm-kitty
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION display=:0
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION xauthority=/home/ave/.Xauthority
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION lc-ctype=en_US.UTF-8
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION lc-messages=en_US.UTF-8
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- updatestartuptty
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK
2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- [eof]
(I have accidentally opened a new shell, so you will see [an irrelevant] updatestartuptty in the end)
gpg-agent.conf on remote:
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
verbose
debug-level advanced
log-file /home/ave/.gnupg/gpg-agent.log
scdaemon.log on remote: absent
scdaemon.conf on remote:
pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid
verbose
debug-level advanced
log-file /home/ave/.gnupg/scdaemon.log
gpg.conf on remote:
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
no-greeting
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
no-symkey-cache
use-agent
throw-keyids
.zshrc on remote:
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
export GPG_TTY=$(tty)
gpgconf --create-socketdir
gpg-connect-agent updatestartuptty /bye >/dev/null
gpg-agent.log on local:
2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent'
2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.extra'
2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.browser'
2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.ssh'
2020-09-03 00:05:30 gpg-agent[12992] gpg-agent (GnuPG) 2.2.22 started
2020-09-03 00:05:30 gpg-agent[12992] putty message loop thread started
2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 -> OK Pleased to meet you
2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 <- RESET
2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 -> OK
2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 <- [eof]
2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 -> OK Pleased to meet you
2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 <- RESET
2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 -> OK
2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 <- [eof]
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> OK Pleased to meet you
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 <- GETINFO pid
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> D 12992
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> OK
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 <- BYE
2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> OK closing connection
2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 -> OK Pleased to meet you
2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 <- RESET
2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 -> OK
2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 <- [eof]
2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 -> OK Pleased to meet you
2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 <- RESET
2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 -> OK
2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 <- [eof]
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> OK Pleased to meet you
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 <- GETINFO pid
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> D 12992
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> OK
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 <- BYE
2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> OK closing connection
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> OK Pleased to meet you
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c <- GETINFO pid
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> D 12992
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> OK
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c <- BYE
2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> OK closing connection
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 -> OK Pleased to meet you
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 <- RESET
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 -> OK
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 <- NOP
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 -> OK
2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 <- [eof]
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file 'WSLPageantRequest'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map handle 0x00000274
2020-09-03 00:08:56 gpg-agent[12992] DBG: my sid: '<SID>'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file sid: '<SID>'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh IPC buffer at 0x00670000
2020-09-03 00:08:56 gpg-agent[12992] ssh request handler for request_identities (11) started
2020-09-03 00:08:56 gpg-agent[12992] no running SCdaemon - starting it
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK GNU Privacy Guard's Smartcard server ready
2020-09-03 00:08:56 gpg-agent[12992] DBG: first connection to SCdaemon established
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETINFO socket_name
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: additional connections at 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon'
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> OPTION event-signal=0x00000290
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SERIALNO
2020-09-03 00:08:56 gpg-agent[12992] SIGUSR2 received - updating card event counter
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETINFO card_list
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SERIALNO --demand=<SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETATTR $AUTHKEYID
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S $AUTHKEYID OPENPGP.3
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETATTR SERIALNO
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> READKEY OPENPGP.3
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_000002B8 <- [ 44 20 28 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XXX> byte(s) skipped) ]
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETATTR $DISPSERIALNO
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S $DISPSERIALNO <DISPSERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] ssh request handler for request_identities (11) ready
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> RESTART
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file 'WSLPageantRequest'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map handle 0x00000274
2020-09-03 00:08:56 gpg-agent[12992] DBG: my sid: '<SID>'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file sid: '<SID>'
2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh IPC buffer at 0x00670000
2020-09-03 00:08:56 gpg-agent[12992] ssh request handler for sign_request (13) started
2020-09-03 00:08:56 gpg-agent[12992] new connection to SCdaemon established (reusing)
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SERIALNO --demand=<SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: detected card with S/N <SERIALNO>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SETDATA <XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX>
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> PKAUTH OPENPGP.3
2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_000002B8 <- [ 49 4e 51 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XX> byte(s) skipped) ]
2020-09-03 00:08:56 gpg-agent[12992] starting a new PIN Entry
2020-09-03 00:08:56 gpg-agent[12992] DBG: connection to PIN entry established
2020-09-03 00:09:05 gpg-agent[12992] DBG: chan_000002B8 -> [ 44 20 7e <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XX> byte(s) skipped) ]
2020-09-03 00:09:05 gpg-agent[12992] DBG: chan_0x000002b8 -> END
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_000002B8 <- [ 44 20 39 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XXX> byte(s) skipped) ]
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:09:08 gpg-agent[12992] ssh request handler for sign_request (13) ready
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x000002b8 -> RESTART
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x000002b8 <- OK
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> OK Pleased to meet you
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- RESET
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> OK
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- OPTION ttyname=/dev/pts/13
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- GETINFO restricted
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> OK
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- updatestartuptty
2020-09-03 00:09:08 gpg-agent[12992] command 'UPDATESTARTUPTTY' failed: Forbidden
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- [eof]
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK Pleased to meet you
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- RESET
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- OPTION ttyname=/dev/pts/13
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> ERR 67109115 Forbidden <GPG Agent>
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- GETINFO restricted
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- GETINFO version
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> D 2.2.22
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- OPTION allow-pinentry-notify
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> ERR 67109115 Forbidden <GPG Agent>
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- OPTION agent-awareness=2.1.0
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- SCD GETINFO version
2020-09-03 00:09:20 gpg-agent[12992] command 'SCD' failed: Forbidden
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> ERR 67109115 Forbidden <GPG Agent>
2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- [eof]
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK Pleased to meet you
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- RESET
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- GETINFO scd_running
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- scd killscd
2020-09-03 00:09:32 gpg-agent[12992] new connection to SCdaemon established (reusing)
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 -> killscd
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 <- OK closing connection
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- [eof]
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 -> RESTART
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 <- [eof]
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 -> OK Pleased to meet you
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 <- RESET
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 -> OK
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 <- KILLAGENT
2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 -> OK closing connection
2020-09-03 00:09:32 gpg-agent[12992] secmem usage: 0/32768 bytes in 0 blocks
gpg-agent.conf on local:
enable-ssh-support
enable-putty-support
default-cache-ttl 60
max-cache-ttl 120
verbose
debug-level advanced
log-file C:\Users\avemilia\AppData\Roaming\gnupg\gpg-agent.log
scdaemon.log on local:
2020-09-03 00:08:56 scdaemon[5332] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon'
2020-09-03 00:08:56 scdaemon[5332] handler for fd -1 started
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK GNU Privacy Guard's Smartcard server ready
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETINFO socket_name
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- OPTION event-signal=0x00000290
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SERIALNO
2020-09-03 00:08:56 scdaemon[5332] detected reader 'Yubico Yubikey 4 OTP+U2F+CCID 0'
2020-09-03 00:08:56 scdaemon[5332] reader slot 0: not connected
2020-09-03 00:08:56 scdaemon[5332] reader slot 0: active protocol: T1
2020-09-03 00:08:56 scdaemon[5332] slot 0: ATR=[...]
2020-09-03 00:08:56 scdaemon[5332] AID: [...]
2020-09-03 00:08:56 scdaemon[5332] Historical Bytes: [...]
2020-09-03 00:08:56 scdaemon[5332] Version-2+ .....: yes
2020-09-03 00:08:56 scdaemon[5332] Extcap-v3 ......: no
2020-09-03 00:08:56 scdaemon[5332] Button .........: yes
2020-09-03 00:08:56 scdaemon[5332] SM-Support .....: no
2020-09-03 00:08:56 scdaemon[5332] Get-Challenge ..: no
2020-09-03 00:08:56 scdaemon[5332] Key-Import .....: yes
2020-09-03 00:08:56 scdaemon[5332] Change-Force-PW1: yes
2020-09-03 00:08:56 scdaemon[5332] Private-DOs ....: yes
2020-09-03 00:08:56 scdaemon[5332] Algo-Attr-Change: yes
2020-09-03 00:08:56 scdaemon[5332] Symmetric Crypto: no
2020-09-03 00:08:56 scdaemon[5332] KDF-Support ....: no
2020-09-03 00:08:56 scdaemon[5332] Max-Cert3-Len ..: 1216
2020-09-03 00:08:56 scdaemon[5332] Cmd-Chaining ...: yes
2020-09-03 00:08:56 scdaemon[5332] Ext-Lc-Le ......: no
2020-09-03 00:08:56 scdaemon[5332] Status-Indicator: 05
2020-09-03 00:08:56 scdaemon[5332] GnuPG-No-Sync ..: no
2020-09-03 00:08:56 scdaemon[5332] GnuPG-Def-PW2 ..: no
2020-09-03 00:08:56 scdaemon[5332] Key-Attr-sign ..: RSA, n=4096, e=17, fmt=std
2020-09-03 00:08:56 scdaemon[5332] Key-Attr-encr ..: RSA, n=4096, e=17, fmt=std
2020-09-03 00:08:56 scdaemon[5332] Key-Attr-auth ..: RSA, n=4096, e=17, fmt=std
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO <SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] triggering event 0x00000290 (0x00000290) for client -1
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETINFO card_list
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO <SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SERIALNO --demand=<SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO <SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETATTR $AUTHKEYID
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S $AUTHKEYID OPENPGP.3
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETATTR SERIALNO
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO <SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- READKEY OPENPGP.3
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_00000150 -> [ 44 20 28 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XXX> byte(s) skipped) ]
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETATTR $DISPSERIALNO
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S $DISPSERIALNO 000606330752
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- RESTART
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SERIALNO --demand=<SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO <SERIALNO>
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SETDATA XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- PKAUTH OPENPGP.3
2020-09-03 00:08:56 scdaemon[5332] DBG: asking for PIN '||Please unlock the card%0A%0A
Number�: XXXX XXXXXXXX%0AHolder�: Ave Milia'
2020-09-03 00:08:56 scdaemon[5332] DBG: chan_00000150 -> [ 49 4e 51 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XX> byte(s) skipped) ]
2020-09-03 00:09:05 scdaemon[5332] DBG: chan_00000150 <- [ 44 20 7e <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XX> byte(s) skipped) ]
2020-09-03 00:09:05 scdaemon[5332] DBG: chan_0x00000150 <- END
2020-09-03 00:09:08 scdaemon[5332] operation auth result: Success
2020-09-03 00:09:08 scdaemon[5332] DBG: chan_00000150 -> [ 44 20 39 <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> <XX> ...(<XXX> byte(s) skipped) ]
2020-09-03 00:09:08 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:09:08 scdaemon[5332] DBG: chan_0x00000150 <- RESTART
2020-09-03 00:09:08 scdaemon[5332] DBG: chan_0x00000150 -> OK
2020-09-03 00:09:32 scdaemon[5332] DBG: chan_0x00000150 <- killscd
2020-09-03 00:09:32 scdaemon[5332] DBG: chan_0x00000150 -> OK closing connection
scdaemon.conf on local:
card-timeout 5
verbose
debug-level advanced
log-file C:\Users\avemilia\AppData\Roaming\gnupg\scdaemon.log
gpg.conf on local: identical to remote
If you need any additional logs, e.g. ssh -v, or certain lines unredacted, I can provide them as well.
To summarize the problem: I want to forward gpg-agent, got "forbidden" errors, tried additionally forwarding gpg-ssh-agent and the errors are still present. No more ideas how to fix it.
[0] <https://github.com/benpye/wsl-ssh-pageant>
[1] <https://dev.gnupg.org/T3883>
[2] <https://github.com/PowerShell/Win32-OpenSSH/issues/827>
[3] <https://github.com/BusyJay/gpg-bridge>
[4] <https://github.com/PowerShell/Win32-OpenSSH/issues/1564>
[5] <https://wiki.gnupg.org/AgentForwarding>
[6] <https://blog.alt255.com/post/gpg_forwarding/>
More information about the Gnupg-users
mailing list