Skip to content

Instantly share code, notes, and snippets.

@samveen

samveen/GNUPG_agent_forwarding.md

Forked from TimJDFletcher/GNUPG_agent_forwarding.md
Last active August 26, 2024 05:35
Show Gist options
  • Save samveen/70df8317b819b65500fd9db3eee1df7f to your computer and use it in GitHub Desktop.
Save samveen/70df8317b819b65500fd9db3eee1df7f to your computer and use it in GitHub Desktop.
Download ZIP
GnuPG agent forwarding
Raw
GNUPG_agent_forwarding.md

Forward GnuPG agent from key-host to signing-host

On the signing host

Run gpg once as your to create the directory structure

gpg --list-keys

For headless systemd based hosts

Disable gpg-agent startup via systemd by masking the sockets:

sudo systemctl --global mask gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket
killall gpg-agent

For interactive systemd hosts

If you want to maintain the auto start and stop of gpg-agent on the host you need to do the following:

Create a file /etc/ssh/sshd_config.d/gpg-cleanup.conf to include the line:

StreamLocalBindUnlink yes

Add this line to your user's $HOME/.bashrc:

gpgconf --create-socketdir

On the key host

Add this line to the file: $HOME/.gnupg/gpg-agent.conf

extra-socket $HOME/.gnupg/S.gpg-agent.extra

Reload your current gpg-agent:

gpg-connect-agent reloadagent /bye

Edit $HOME/.ssh/config to forward the gpg-agent socket. Note this doesn't support ssh config variables so you need to use the full path.

Forwarding from macOS to Linux:

host gpgtunnel
    hostname remotehost.example.com
    User yourusername
    RemoteForward /home/<user>/.gnupg/S.gpg-agent /Users/<user>/.gnupg/S.gpg-agent.extra

Forwarding from macOS to systemd based Linux, use id -u on the remote system to find your UID:

host gpgtunnel
    hostname systemd-host.example.com
    User yourusername
    RemoteForward /run/user/<remote UID>/gnupg/S.gpg-agent /Users/<user>/.gnupg/S.gpg-agent.extra

Forwarding from one systemd based Linux to another, use id -u on the both systems to find your UIDs:

host gpgtunnel
    hostname systemd-host.example.com
    User yourusername
    RemoteForward /run/user/<SIGN-HOST-UID>/gnupg/S.gpg-agent /run/user/<KEY-HOST-UID>/gnupg/S.gpg-agent.extra

Additionally, for linux based key-hosts, run the following (or add it to ~/..bashrc or equivalent shell rc):

$ export GPG_TTY=$(tty)
$ gpg-connect-agent updatestartuptty /bye

Copy the public half of your keys to the remote machine:

scp ~/.gnupg/pubring.kbx gpgtunnel:.gnupg/

You only have to copy the public half of the private key you are going to use, if you have that handy you can just copy it over and then use gpg --import mypublickey.pub

Local test

Now test that the gpg-agent works on the local machine:

echo "test" | gpg --encrypt -r $MYKEYID 
echo "test" | gpg --encrypt -r $MYKEYID > output
gpg --decrypt output

Remote test

Now ssh to remote machine

scp output gpgtunnel:
ssh gpgtunnel
gpg --decrypt output

The gpg-agent should be able to use your authentication on the local machine.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment