Hi Niel--

On 07/08/2013 07:07 AM, Neil Roberts wrote:

> Both machines are trusted personal machines so I can put the keys on
> either (or both).

cool, this makes it a little bit easier.

> I think what would be ideal is if OpenSSH could
> support gpg-agent forwarding like it does for ssh-agent.

Hm, interesting.  I bet we could figure out a way to do this with
existing OpenSSH without needing to patch anything, as long as you're
willing to use helper utilities like socat.

it came up on a blog post i made a while back about forwarding
unix-domain sockets over ssh:

 https://www.debian-administration.org/users/dkg/weblog/68

but no one offered an explicit recipe, and my examples there are for
forwarding a unix domain socket from the ssh client to the ssh server,
which i think is the reverse of what you're proposing.


I just did a little test, and got the following to work with a single
connection (a bit more tuning and you can probably make it work repeatedly):

on the remote server (i'll call it "xxx"), i did:

 mkdir ~/.sockets
 chmod 0700 ~/.sockets
 export GPG_AGENT_INFO=~/.sockets/S.gpg-agent:0:1

and on my local machine, i ran the following bash command (this is all
one command, sorry about the line wrap):

  socat
   EXEC:'ssh xxx socat UNIX-LISTEN\:.sockets/S.gpg-agent STDIO'
   UNIX:${GPG_AGENT_INFO%%:*}

then on the remote server, i created a secret key, and ran:

  echo test > test.txt
  gpg --clearsign test.txt

and was prompted by my local graphical gpg-agent.

note that this means that any passphrases cached by my local gpg-agent
are also visible to the account on the remote server, but in your
scenario (you control and trust both machines) that should be OK.

hth,

	--dkg