From 0e90e48a4fc0d95083c789b4f5e2b54fd8cd3114 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 9 Jul 2013 07:44:23 +2000 Subject: [PATCH] Re: [PATCH 0/2] Prompting for the GPG password within Emacs --- 63/01354a5a320c282dbd03dd2f28f4f3577a9078 | 143 ++++++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 63/01354a5a320c282dbd03dd2f28f4f3577a9078 diff --git a/63/01354a5a320c282dbd03dd2f28f4f3577a9078 b/63/01354a5a320c282dbd03dd2f28f4f3577a9078 new file mode 100644 index 000000000..1dcc4af09 --- /dev/null +++ b/63/01354a5a320c282dbd03dd2f28f4f3577a9078 @@ -0,0 +1,143 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by olra.theworths.org (Postfix) with ESMTP id 15E3C431FAF + for ; Mon, 8 Jul 2013 04:44:37 -0700 (PDT) +X-Virus-Scanned: Debian amavisd-new at olra.theworths.org +X-Spam-Flag: NO +X-Spam-Score: 0 +X-Spam-Level: +X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] + autolearn=disabled +Received: from olra.theworths.org ([127.0.0.1]) + by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id cg4Y838DEXKw for ; + Mon, 8 Jul 2013 04:44:29 -0700 (PDT) +Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) + by olra.theworths.org (Postfix) with ESMTP id 35CA0431FAE + for ; Mon, 8 Jul 2013 04:44:29 -0700 (PDT) +Received: from [192.168.13.179] (lair.fifthhorseman.net [108.58.6.98]) + by che.mayfirst.org (Postfix) with ESMTPSA id 40D68F980; + Mon, 8 Jul 2013 07:44:25 -0400 (EDT) +Message-ID: <51DAA617.4090308@fifthhorseman.net> +Date: Mon, 08 Jul 2013 07:44:23 -0400 +From: Daniel Kahn Gillmor +User-Agent: Mozilla/5.0 (X11; Linux x86_64; + rv:17.0) Gecko/20130630 Icedove/17.0.7 +MIME-Version: 1.0 +To: Neil Roberts +Subject: Re: [PATCH 0/2] Prompting for the GPG password within Emacs +References: <1373195672-9338-1-git-send-email-neil@linux.intel.com> + <51D9F4E6.1030504@fifthhorseman.net> <87r4f9xqc7.fsf@neilpc.config> +In-Reply-To: <87r4f9xqc7.fsf@neilpc.config> +X-Enigmail-Version: 1.5.1 +Content-Type: multipart/signed; micalg=pgp-sha512; + protocol="application/pgp-signature"; + boundary="----enig2PTDHJLRHHSIOUJJPDHBO" +Cc: notmuch@notmuchmail.org +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.13 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Mon, 08 Jul 2013 11:44:37 -0000 + +This is an OpenPGP/MIME signed message (RFC 4880 and 3156) +------enig2PTDHJLRHHSIOUJJPDHBO +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: quoted-printable + +Hi Niel-- + +On 07/08/2013 07:07 AM, Neil Roberts wrote: + +> Both machines are trusted personal machines so I can put the keys on +> either (or both). + +cool, this makes it a little bit easier. + +> I think what would be ideal is if OpenSSH could +> support gpg-agent forwarding like it does for ssh-agent. + +Hm, interesting. I bet we could figure out a way to do this with +existing OpenSSH without needing to patch anything, as long as you're +willing to use helper utilities like socat. + +it came up on a blog post i made a while back about forwarding +unix-domain sockets over ssh: + + https://www.debian-administration.org/users/dkg/weblog/68 + +but no one offered an explicit recipe, and my examples there are for +forwarding a unix domain socket from the ssh client to the ssh server, +which i think is the reverse of what you're proposing. + + +I just did a little test, and got the following to work with a single +connection (a bit more tuning and you can probably make it work repeatedl= +y): + +on the remote server (i'll call it "xxx"), i did: + + mkdir ~/.sockets + chmod 0700 ~/.sockets + export GPG_AGENT_INFO=3D~/.sockets/S.gpg-agent:0:1 + +and on my local machine, i ran the following bash command (this is all +one command, sorry about the line wrap): + + socat + EXEC:'ssh xxx socat UNIX-LISTEN\:.sockets/S.gpg-agent STDIO' + UNIX:${GPG_AGENT_INFO%%:*} + +then on the remote server, i created a secret key, and ran: + + echo test > test.txt + gpg --clearsign test.txt + +and was prompted by my local graphical gpg-agent. + +note that this means that any passphrases cached by my local gpg-agent +are also visible to the account on the remote server, but in your +scenario (you control and trust both machines) that should be OK. + +hth, + + --dkg + + +------enig2PTDHJLRHHSIOUJJPDHBO +Content-Type: application/pgp-signature; name="signature.asc" +Content-Description: OpenPGP digital signature +Content-Disposition: attachment; filename="signature.asc" + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (GNU/Linux) +Comment: Using GnuPG with Icedove - http://www.enigmail.net/ + +iQJ8BAEBCgBmBQJR2qYXXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w +ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB +NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcVN0P/AlR/q4gBc3ahHcUSM7cyHyS +ICR8vcSjcCwSNxpZGFb6gzbMsHg8kzyMPt3ZNxM7Ovts8qdu9OpbFBo17QqgAT31 +6ipz3yc65MeAdWDSZBbYDDp6pMbWqyMNn/5ShtfNvpCopBft/PpfyFqUB9eJWklj +Cd7iNCxbnE6oIrtu2x5lBW54THKfyu7RpAFCNhs7lj1OwlsS+rulhvA4DUzQ68Kq +xTVwLoIMrVI8LTs6fA4omooXAnGYVyP430ZRe0fLFfTvbBxTKBKM0NG6Qp0FdH2h +frNPYBRARnG2qcawcN1iKGg/iUIO9PfHbb0g0AZt9MfZi4xiwOxEyHqDJ+LJ+liF +KYbRzRLTIhwTuzgSjJckZhPixo2kKhkov2evzSaxPzi2yIT6qP5JpdiLQx6v/Ga5 +oNDK1PJw0fNoFqgEgMvVYXQegkH0OPXCyFCiObKcB/0vbwjdbQHVAoChCDH/5LGc +I16Pe8klx0Ovj7BRk0TUcdI7C5itbyBg9XmlZX7iyVlYJblb1LBFuNrg2jXjOkry +O/Ex/rrITomwWRupOa1/plIyhl4Qb4K5t0hL7txNlDDGghw4f9RE/zL1GHx3ndrF +jxc3GaHXOZN9dR35qsCeEqU/euQtFnC4IjJw9kX0/bzTMU01aqUvDWYxxe4EXZym +0rwS8gJ/N10LRIeip0uC +=F8du +-----END PGP SIGNATURE----- + +------enig2PTDHJLRHHSIOUJJPDHBO-- -- 2.26.2