• Home
  • Using your local private keys via SSH

GPG Agent Forwarding

blog-thumb

How to use your private keys remotely, and therefore your Yubikey, while keeping secrets local.

I am starting with a “new” VM (virtual machine) for this demo.

Remote: (if needed).

sudo apt install openssh-server

Local: The SSH connection is working.

ssh foopgp@192.168.122.209
...
$ echo hello > top-secret.txt
$ cat top-secret.txt
bonjour

Local: I add the configuration to ~/.ssh/config,

cat .ssh/config
host demo
    hostname 192.168.122.209
    User foopgp

Local: so that I can reconnect more easily.

ssh demo
...
$ cat top-secret.txt
hello

Remote: I import my public key, several solutions, for example:

$ curl -s "https://keys.foopgp.org/pks/lookup?op=get&search=0x2C364630A2436D7E" \
| awk "/-----BEGIN PGP PUBLIC KEY BLOCK-----/,/-----END PGP PUBLIC KEY BLOCK-----/" \
| gpg --import

gpg: key 2C364630A2436D7E: 1 signature not checked due to a missing key
gpg: clef 2C364630A2436D7E : clef publique « piseb <piseb@mailo.com> (udid4=D9SrwuxesuMU90PM8xypxQe_48.78_002.19) » importée
gpg:       Quantité totale traitée : 1
gpg:                     importées : 1
gpg: aucune clef de confiance ultime n'a été trouvée

Remote: Only the public key is obviously present. This can be verified.

$ gpg --list-secret-keys
$ gpg --list-public-keys
...

Remote: I add “StreamLocalBindUnlink yes” to the ssh server configuration, below in a dedicated file, and restart the ssh service:

sudo -i
echo "StreamLocalBindUnlink yes" > /etc/ssh/sshd_config.d/demo.conf
systemctl restart sshd.service

Remote: I check which socket is used by the server’s gpg-agent.

gpgconf --list-dir agent-socket

Local: I check which additional socket can be used by my local gpg-agent.

gpgconf --list-dir agent-extra-socket

Local: I return to my client configuration file and add the results of the two previous commands so that the remote gpg-agent actually uses my local gpg-agent:

host demo
    hostname 192.168.122.209
    User foopgp
    RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra

Local: And now I can use my private key on the remote without being there:

ssh demo
gpg --list-secret-keys
...

So I can sign, encrypt, etc. exactly as I would locally.

Sources: