How to forward a gpg key via ssh-agent

gnupgsshssh-agent

I can use the ssh configuration file to enable the forwarding of ssh keys added to ssh-agent. How can I do the same with gpg keys?

Best Answer

EDIT: This answer is obsolete now that proper support has been implemented in OpenSSH, see Brian Minton's answer.

SSH is only capable of forwarding tcp connections within the tunnel.

You can, however, use a program like socat to relay the unix socket over TCP, with something like that (you will need socat both on the client and the server hosts):

# Get the path of gpg-agent socket:
GPG_SOCK=$(echo "$GPG_AGENT_INFO" | cut -d: -f1)

# Forward some local tcp socket to the agent
(while true; do
    socat TCP-LISTEN:12345,bind=127.0.0.1 UNIX-CONNECT:$GPG_SOCK;
done) &

# Connect to the remote host via ssh, forwarding the TCP port
ssh -R12345:localhost:12345 host.example.com

# (On the remote host)
(while true; do
    socat UNIX-LISTEN:$HOME/.gnupg/S.gpg-agent,unlink-close,unlink-early TCP4:localhost:12345;
done) &

Test if it works out with gpg-connect-agent. Make sure that GPG_AGENT_INFO is undefined on the remote host, so that it falls back to the $HOME/.gnupg/S.gpg-agent socket.

Now hopefully all you need is a way to run all this automatically!