User Tools

Site Tools


knowledge:ssh_key_forwarding_and_local_gpg_keys

SSH Key Forwarding and local GPG keys

When locally on a machine GPG keys, particularly keys from smart cards or sticks, like OpenPGP Card, Nitrokey or Yubikey, are used, there is certainly something like

  SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
  export SSH_AUTH_SOCK

in the profile. This setting takes care to connect ssh for key handling with the gpg-agent.

If you also connect to such a machine using ssh and use agent forwarding to use the key (from a card or stick) from the client machine (the one you are sitting in front of), this setting hurts, since in that case the setting injected by the ssh server needs to be used.

So, it is required to modify the above lines to

  if [ "$SSH_CONNECTION" = "" ]; then
    SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
    export SSH_AUTH_SOCK
  fi

Now, if you login locally, the variable SSH_CONNECTION is not set and the additional setting will be applied. If you login via ssh, SSH_CONNECTION is set and the variable SSH_AUTH_SOCK will not be changed.

knowledge/ssh_key_forwarding_and_local_gpg_keys.txt · Last modified: 2020/11/02 12:35 by wn

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki