gpg-agent forwarding

Search tags: pgp gpg remote gpg-agent gpg-agent forwarding.

Source:

• GPG Agent Forwarding by Matthias Lohr
• Forwarding gpg-agent to a remote system over SSH

Public and secret key must be present on local machine

gpg --import usert@example.com-public.asc
gpg --import usert@example.com-secret.asc

Get gpg-agent socket paths on local and remote machines:

$ gpgconf--list-dirs agent-extra-socket
/run/user/1000/gnupg/S.gpg-agent.extra

$ ssh remote gpgconf --list-dirs agent-socket
/run/user/1000/gnupg/S.gpg-agent

Edit SSH user configuration and add sockets forwarding for remote host:

~/.ssh/config

Host remote
  RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra

Public key must be imported on remote machine:

gpg --import usert@example.com-public.asc
 
gpg: key XXXXXXXXXXXXX: public key "User <user@example.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Modify ssh server configuration to enable automatic removal of stale sockets when connecting to the remote machine:

/etc/ssh/sshd_config

StreamLocalBindUnlink yes

and restart sshd:

systemctl restart ssh

On remote machine:

gpg --list-secret-keys

Sign message:

echo TEXT | gpg -s