GPG Agent Forwarding

As already written in How to set up your YubiKey NEO, I use my YubiKey for authentication for SSH connections. In this article I explain how to set up a GPG agent forwarding to work with the YubiKey on remote systems.

Why?

If you often work on remote machines via SSH, you may occasionally want to use cryptographic functions such as encryption or digital signatures. An example of this is the creation of a signed commit for a git repository. It is not without reason that security experts advise against copying private keys to other machines. However, managing multiple keys (e.g. one key per machine you work on) is also complicated: You have (or should) remember several different passwords for the different private keys. Especially when using hardware tokens such as the YubiKey, it is usually impossible to export the private key and then copy it to other machines if necessary.

How to configure GPG Agent Forwarding

  1. Find out where the extra socket of the GPG agent is on your local system:
    $ gpgconf --list-dirs agent-extra-socket
    /run/user/1000/gnupg/S.gpg-agent.extra
  2. Find out where the agent socket is on the remote system:
    $ gpgconf --list-dirs agent-socket
    /run/user/1000/gnupg/S.gpg-agent
  3. Edit the SSH configuration in ~/.ssh/config on the local machine to forward the socket to the remote machine:
    Host remote
      RemoteForward <remote socket> <local socket>
  4. The public key suitable for the YubiKey must also be present on the target system. For simplicity, we can copy the local collection of public keys to the remote machine:
    scp .gnupg/pubring.kbx remote:~/.gnupg/
  5. Add the following configuration parameter to your SSH server configuration (/etc/ssh/sshd_config):
    StreamLocalBindUnlink yes

Now log out and log back in. From now on it should be possible to create signatures etc. with the private key of the YubiKey.

Troubleshooting

If you have problems, double check the paths for the sockets. In older versions, I often saw /home/user/.gnupg/S.gpg-agent for the default socket and /home/user/.gnupg/S.gpg-agent.extra for the extra socket.

Also, problems may occur if the gnupg versions are different between local and remote machines. Therefore you should check that the versions are the same or at least not too different.

References

For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *