3

I have GPG agent forwarding via SSH RemoteForward working up to a point.

I can list my private and public keys on the remote host.

If I try to decrypt a file remotely, the PIN is prompted for but the text is stepped, garbled and the passphrase prompt echoes the passphrase (at least several random chars).

I can skip the forwarding and SSH to said remote host and start an agent, use the local keyring and PIN entry works fine. Similarly, I can SSH from the remote host (VM) back into MacOS and the same local keyring PIN entry works.

It's ONLY the forwarding that breaks PIN entry. I have exported "$GPG_TTY" and do "gpg-connect-agent UPDATESTARTUPTTY /bye" before SSH so the prompt is in the correct tty. That part does work as I've experimented with and without said vars.

Any help is greatly appreciated as I'm out of ideas. Aah, after writing I found the below, exact same problem!

https://unix.stackexchange.com/questions/325021/intermingled-input-when-using-local-gpg-agent-from-remote-site

  • MacOS Catalina to CentOS 8.2.2004
  • GPG 2.2.9 on CentOS8
  • GPG 2.2.21 on MacOS installed via homebrew
  • Pinentry 1.1.0 on MacOS and CentOS8
102-182-155-35 :: ~ % cat .ssh/config
Match host * exec "gpg-connect-agent UPDATESTARTUPTTY /bye"
Host centos8.ephemeric.local centos8
  Hostname 192.168.99.57
  ForwardAgent yes
  StreamLocalBindUnlink yes
  RemoteForward /run/user/1000/gnupg/S.gpg-agent /Users/robert/.gnupg/S.gpg-agent.extra

102-182-155-35 :: ~ % cat .gnupg/gpg-agent.conf
pinentry-program /usr/local/bin/pinentry-tty
pinentry-timeout 10
debug-level guru
allow-preset-passphrase
default-cache-ttl 43200
default-cache-ttl-ssh 43200
max-cache-ttl 43200
max-cache-ttl-ssh 43200

centos8 :: ~ % gpg -d tmp/slobwashere.gpg
Note: Request from a remote site.

                                 Please enter the passphrase to unlock the OpenPGP secret key:
                                                                                              "Robert Gabriel (Slob) <ephemeric@icloud.com>"
   4096-bit RSA key, ID DC141A1E1314AB17,
                                         created 2018-07-23 (main key ID 458EF10593DA8C1D).

                                                                                           Passphrase:
                                                                                                       gpg: encrypted with 4096-bit RSA key, ID DC141A1E1314AB17, created 2018-07-23
      "Robert Gabriel (Slob) <ephemeric@icloud.com>"
gpg: public key decryption failed: Timeout
gpg: decryption failed: No secret key
ephemeric
  • 43
  • 2

0 Answers0