Forward GnuPG agent from macOS to Linux # On the remote machine Run gpg once as your to create the directory structure ``` gpg --list-keys ``` ## For headless systemd based hosts Disable gpg-agent startup via systemd by masking the sockets: ``` sudo systemctl --global mask gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket killall gpg-agent ``` ## For interactive systemd hosts If you want to maintain the auto start and stop of gpg-agent on the host you need to do the following: Edit `/etc/ssh/sshd_config` to include the line: ``` StreamLocalBindUnlink yes ``` Add this line to your user's `$HOME/.bashrc`: ``` gpgconf --create-socketdir ``` # On the local machine Add this line to the file: `$HOME/.gnupg/gpg-agent.conf` ``` extra-socket $HOME/.gnupg/S.gpg-agent.extra ``` Reload your current gpg-agent: ``` gpg-connect-agent reloadagent /bye ``` Edit $HOME/.ssh/config to forward the gpg-agent socket. Note this doesn't support ssh config variables so you need to use the full path. Forwarding from macOS to Linux: ``` host gpgtunnel hostname remotehost.example.com User yourusername RemoteForward /home//.gnupg/S.gpg-agent /Users//.gnupg/S.gpg-agent.extra ``` Forwarding from macOS to systemd based Linux, use `id -u` on the remote system to find your UID: ``` host gpgtunnel hostname systemd-host.example.com User yourusername RemoteForward /run/user//gnupg/S.gpg-agent /Users//.gnupg/S.gpg-agent.extra ``` Copy the public half of your keys to the remote machine: ``` scp $HOME/.gnupg/pubring.gpg gpgtunnel:$HOME/.gnupg/ ``` You only have to copy the public half of the private key you are going to use, if you have that handy you can just copy it over and then use `gpg --import mypublickey.pub` Now test that the gpg-agent works on the local machine: ``` echo "test" | gpg --encrypt -r $MYKEYID echo "test" | gpg --encrypt -r $MYKEYID > output gpg --decrypt output ``` Now ssh to remote machine ``` scp output gpgtunnel: ssh gpgtunnel gpg --decrypt output ``` The gpg-agent should be able to use your authentication on the local machine. # References * https://www.grepular.com/GPG_Agent_Forwarding * https://wiki.gnupg.org/AgentForwarding