Socket forwarding with non existent remote directories

Andre Heinecke aheinecke at gnupg.org
Thu Oct 6 06:32:36 AEDT 2016


Hi openssh dev's,

I love an  truly appreciate the Socket forwarding feature in OpenSSH 6.7.
i use it for forwarding the socket of GnuPG's agent
(that handles the secret stuff) to remote machines.

Usecase:
======

I am a remote worker and use gnupg agent forwarding 
to connect to our company  infrastructure that makes heavy use 
of PGP encryption while keeping my key out of the hands of 
the company on a personal smartcard that is connected to
 my local system.


Problem
=====

Now with GnuPG 2.1.13 the socket directory changed from
~/.gnupg to /run/user/<uid>/gnupg on systems where
 /run/user/<uid> exists, to better accommodate systemd.

I now have the problem that my config line:
RemoteForward /var/run/user/10118/gnupg/S.gpg-agent /home/aheinecke/.gnupg/S.gpg-agent.extra

Does not work if /var/run/user/10118/gnupg/ does not exist.
OpenSSH does not create the directory and fails to forward
the socket.

That it does not exist is the usual case because systemd
cleans up this directory on logout if no processes exist that 
are still accessing it. There are of course workarounds like
creating that directory before the agent forwarding connection
but they are workarounds and I'd like to have this working
smoothly.


The gpg-agent forwarding is an awesome feature for us.
( I documented it under https://wiki.gnupg.org/AgentForwarding )

In my opinion OpenSSH should create the parent directories of
RemoteForwarded files if possible. Maybe as a configuration option?
Do you agree? 

Or do you think that some other software component
in this setup is behaving wrongly?

Regards,
Andre

-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161005/9387f3ea/attachment.bin>


More information about the openssh-unix-dev mailing list