Forward GnuPG agent from macOS to Linux
Run gpg once as your to create the directory structure
gpg --list-keys
Disable gpg-agent startup via systemd by masking the sockets:
sudo systemctl --global mask gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket
killall gpg-agent
If you want to maintain the auto start and stop of gpg-agent on the host you need to do the following:
Edit /etc/ssh/sshd_config
to include the line:
StreamLocalBindUnlink yes
Add this line to your user's $HOME/.bashrc
:
gpgconf --create-socketdir
Add this line to the file: $HOME/.gnupg/gpg-agent.conf
extra-socket $HOME/.gnupg/S.gpg-agent.extra
Reload your current gpg-agent:
gpg-connect-agent reloadagent /bye
Edit $HOME/.ssh/config to forward the gpg-agent socket. Note this doesn't support ssh config variables so you need to use the full path.
Forwarding from macOS to Linux:
host gpgtunnel
hostname remotehost.example.com
User yourusername
RemoteForward /home/<user>/.gnupg/S.gpg-agent /Users/<user>/.gnupg/S.gpg-agent.extra
Forwarding from macOS to systemd based Linux, use id -u
on the remote system to find your UID:
host gpgtunnel
hostname systemd-host.example.com
User yourusername
RemoteForward /run/user/<remote UID>/gnupg/S.gpg-agent /Users/<user>/.gnupg/S.gpg-agent.extra
Copy the public half of your keys to the remote machine:
scp $HOME/.gnupg/pubring.gpg gpgtunnel:$HOME/.gnupg/
You only have to copy the public half of the private key you are going to use, if you have that handy you can just copy it over and then use gpg --import mypublickey.pub
Now test that the gpg-agent works on the local machine:
echo "test" | gpg --encrypt -r $MYKEYID
echo "test" | gpg --encrypt -r $MYKEYID > output
gpg --decrypt output
Now ssh to remote machine
scp output gpgtunnel:
ssh gpgtunnel
gpg --decrypt output
The gpg-agent should be able to use your authentication on the local machine.
This doesn't work from macos to ubuntu 18.04
because systemd has already bound the socket?