• caglararli@hotmail.com
  • 05386281520

GPG Agent SSH Forward Pinentry

Çağlar Arlı      -    17 Views

GPG Agent SSH Forward Pinentry

I have GPG agent forwarding via SSH RemoteForward working, up to a point:

  • I can list my private and public keys on the remote host.

  • If I try to decrypt a file remotely, the PIN is prompted for but the text is stepped, garbled and the passphrase prompt echoes the passphrase (at least several random chars).

  • I can skip the forwarding, SSH to said remote host, start an agent, use the local keyring, and PIN entry works fine. Similarly, I can SSH from the remote host (VM) back into MacOS and the same local keyring PIN entry works.

  • It's only the forwarding that breaks PIN entry. I have exported $GPG_TTY and do gpg-connect-agent UPDATESTARTUPTTY /bye before SSH ,so the prompt is in the correct tty. That part does work, as I've experimented with and without those vars.

Any help is greatly appreciated as I'm out of ideas. I found this question on Unix.SE with the exact same problem.

  • MacOS Catalina to CentOS 8.2.2004
  • GPG 2.2.9 on CentOS8
  • GPG 2.2.21 on MacOS installed via homebrew
  • Pinentry 1.1.0 on MacOS and CentOS8
102-182-155-35 :: ~ % cat .ssh/config
Match host * exec "gpg-connect-agent UPDATESTARTUPTTY /bye"
Host centos8.ephemeric.local centos8
  Hostname 192.168.99.57
  ForwardAgent yes
  StreamLocalBindUnlink yes
  RemoteForward /run/user/1000/gnupg/S.gpg-agent /Users/robert/.gnupg/S.gpg-agent.extra
102-182-155-35 :: ~ % cat .gnupg/gpg-agent.conf
pinentry-program /usr/local/bin/pinentry-tty
pinentry-timeout 10
debug-level guru
allow-preset-passphrase
default-cache-ttl 43200
default-cache-ttl-ssh 43200
max-cache-ttl 43200
max-cache-ttl-ssh 43200
centos8 :: ~ % gpg -d tmp/slobwashere.gpg
Note: Request from a remote site.

                                 Please enter the passphrase to unlock the OpenPGP secret key:
                                                                                              "Robert Gabriel (Slob) <ephemeric@icloud.com>"
   4096-bit RSA key, ID DC141A1E1314AB17,
                                         created 2018-07-23 (main key ID 458EF10593DA8C1D).

                                                                                           Passphrase:
                                                                                                       gpg: encrypted with 4096-bit RSA key, ID DC141A1E1314AB17, created 2018-07-23
      "Robert Gabriel (Slob) <ephemeric@icloud.com>"
gpg: public key decryption failed: Timeout
gpg: decryption failed: No secret key