-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Agent Forwarding #85
Comments
Just a follow-up on this that while following the above steps (i.e. setting socket with |
Should be both options enabled.
|
Whoa there. That's a I have My .bashrc on my remote machine calls My
Edit: forgot my |
Regarding the extra-socket option - I reckon that's something I will try when I have time (usually this means never but who knows). |
Thanks both @netflash and @taigrr for the help, this clarified much that in retrospect maybe should have been obvious.
On the remote host, I didn't need to create or have any I did need to go to the remote machine to both configure the extra socket and import the public key, and also either set This is all quite nice as I can now perform common tasks like signing and pushing commits to github from a remote machine using only the keys from my Yubikey, and can avoid having private ssh keys in a local |
Apologies if my section was lacking. Looking at my own setup, I have the following lines in my local
You can see how to get those sockets in this blog post. Steps 4 and 5 of the blog post are pertinent too, and something I forgot to include. Let me know if this works for your setups, and if so we can integrate the steps of the blog post as PR. idk what the policy on citing is for the linked blog post, if we should add it to the "links" section at the end or inline? |
Thanks @Wheest , I agree it would be nice to include both the bit about RemoteFroward and about finding the sockets, as well as steps 4 & 5 like you say. (May also be worth noting that a non-root user who can't edit Though that post doesn't mention it, it may be necessary to also modify the local
(or whatever the reported extra-socket address is)? Or is that not necessary? |
I updated my comment above so it is complete. It now contains all the necessary options for full agent forwarding to work. |
Have added some of this information into the following pull request, further feedback and amendments needed before it should be merged. Thanks all for your comments thus far. @cboettig regarding the case of a non-root user being able edit The Agent Forwarding page on gnupg wiki seems to corroborate with the line:
But it would be good to have a second opinion. @taigrr, thanks for the comment update. I don't recall having to edit |
@Wheest yes, I can confirm that deleting the socket on the remote machine, logging out, and logging back in works (if being rather annoying) if you can'y edit Also, I've found I cannot get ssh fowarding to work as documented in the guide by using the public key as the identify file -- this just throws an error that the key is in the wrong format. So far, I've had to extract a private ssh key with |
Hey @cboettig, thanks for the suggestions on the PR. I'm afraid that I'm not too sure RE that particular issue. For another project I've spun up a new server, and haven't been able to get agent forwarding running yet, according to my instructions. I'll append anything I find while doing that to my PR. EDIT: Aye, have added some things I've tried. Still haven't managed to get forwarding working on my new remote machine. Keep getting the error |
@Wheest what is your Re my confusion on needing a private key, |
https://blog.onefellow.com/post/180065697833/yubikey-forwarding-ssh-keys may of help as well |
Heads up that SSH-forwarding can be an inherently dangerous thing to set up: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident#ssh-agent-forwarding-should-be-disabled |
This is a good point, and I reckon it should be added to the guide. Users will view this guide as vetted security advice, important to keep standards up |
@Wheest @anoadragon453 - thanks for the heads up, would you mind sending a pull request to add a warning? |
Just FTR, this is done; seeing how https://github.com/drduh/YubiKey-Guide#remote-machines-agent-forwarding (now) starts with "Note SSH Agent Forwarding can add additional risk - proceed with caution!* and links to that matrix.org article. |
I had Agent Forwarding with a YubiKey working nicely for months, and for some reason I haven't been able to figure out, it recently broke... |
@vorburger You could try to refresh stubs. I have 2 yubikeys with the same info on them and when I change them it helps to make it work:
|
@AlexanderBartash thanks! In my case, the problem was a confusion on my end re. |
This is a fantastic guide, thanks!
The only area that I couldn't successfully follow was regarding the configuration in the section on agent forwarding to use my gpg (and ssh authentication) on remote machines. IIUC, your guide suggests this should work merely by including the
-A
flag in the ssh command. Following the gpg wiki I found I had to look up my local extra socket,gpgconf --list-dirs agent-extra-socket
, look up my remote socket,gpgconf --list-dirs agent-socket
, and addRemoteForward <remote socket> <extra-socket>
to my~/.ssh/config
, and also addextra-socket
(and fix my pinentry-program line) in~/.gnupg/gpg-agent.conf
. On the remote host, I had to import my public key first, and addStreamLocalBindUnlink yes
in/etc/ssh/sshd_config
and re-load the config (something you cover in the previous section but seemingly only for some Windows-only tool). After that I could decrypt from a remote host.Not sure if there is a way to get this to work without needing root access on the remote machine.
(In my experiment I also needed to reboot the remote machine first, though probably that could be avoided by using some appropriate
service reload
commands.... Also would need further steps to enable the ssh from the remote machine, probably similar to what you already document for the local machine(?)Is there a better way than the above, e.g. that lets you get this to work with just
ForwardAgent yes
and not mucking around for sockets? Is this something you would consider extending in the guide, or would entertain a PR for?The text was updated successfully, but these errors were encountered: