[PATCH 0/2] Prompting for the GPG password within Emacs
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Jul 8 04:44:23 PDT 2013
Hi Niel--
On 07/08/2013 07:07 AM, Neil Roberts wrote:
> Both machines are trusted personal machines so I can put the keys on
> either (or both).
cool, this makes it a little bit easier.
> I think what would be ideal is if OpenSSH could
> support gpg-agent forwarding like it does for ssh-agent.
Hm, interesting. I bet we could figure out a way to do this with
existing OpenSSH without needing to patch anything, as long as you're
willing to use helper utilities like socat.
it came up on a blog post i made a while back about forwarding
unix-domain sockets over ssh:
https://www.debian-administration.org/users/dkg/weblog/68
but no one offered an explicit recipe, and my examples there are for
forwarding a unix domain socket from the ssh client to the ssh server,
which i think is the reverse of what you're proposing.
I just did a little test, and got the following to work with a single
connection (a bit more tuning and you can probably make it work repeatedly):
on the remote server (i'll call it "xxx"), i did:
mkdir ~/.sockets
chmod 0700 ~/.sockets
export GPG_AGENT_INFO=~/.sockets/S.gpg-agent:0:1
and on my local machine, i ran the following bash command (this is all
one command, sorry about the line wrap):
socat
EXEC:'ssh xxx socat UNIX-LISTEN\:.sockets/S.gpg-agent STDIO'
UNIX:${GPG_AGENT_INFO%%:*}
then on the remote server, i created a secret key, and ran:
echo test > test.txt
gpg --clearsign test.txt
and was prompted by my local graphical gpg-agent.
note that this means that any passphrases cached by my local gpg-agent
are also visible to the account on the remote server, but in your
scenario (you control and trust both machines) that should be OK.
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20130708/29448432/attachment.pgp>
More information about the notmuch
mailing list