Problems using RemoteForward for gpg-agent with multiple sessions

Brandon Cheng brandon at brandoncheng.me
Fri Jun 10 02:54:26 AEST 2022


On Tue, 7 June 2022, Thorsten Glaser wrote:
> On Tue, 7 Jun 2022, Brandon Cheng wrote:
> > Recognizing that this is a possible workaround, I think there's
> > still significant advantages to decoupling RemoteForward from
> > ControlMaster. With a muxer, all SSH connections go through a single
> > TCP connection which can cause shared latency. It seems unintuitive
> > to couple
>
> You can split that as well, though.
>
> Just add a separate Host section to your SSH config for the muxer,
> use it with -fNM to start the muxer, without to use it, and use a
> different Host section to create separate connections. On the remote
> side, just pick up the agent forwarded from the other connection.

I have a few workarounds of this type as well. It similarly uses -N and
I let it background through tmux.

I appreciate the solution you've offered. I agree this works, but I
do still believe OpenSSH could do better:

  - While the script works well, it's cumbersome to remember to start
    the command and for the right server. The script could be automated
    to run at startup, but then you may be paying for network bandwith
    that may not be used.
  - The command intermittently disconnects due to spurious network
    conditions. I'd like to add retry logic, but I'm hesitant to have a
    busy while loop in the background that could go awry. Ideally this
    is a script with incremental backoff, or watches network conditions
    to know when it should re-attempt connections.

Our team began requiring GPG commit signing recently. Although I can
personally use this setup without problem, I've noticed significant
difficult managing this from my teammates less familiar with unix
tooling.

My intention was to offer any help I can to make this easier for all
OpenSSH and GPG users.

On Tue, 7 June 2022, Thorsten Glaser wrote:
> This needs a little shell scripting but no more than your solution,
> I believe.

While the solutions in the first email require one-time config setup, I
don't believe they require shell scripts unless I missed something.

Thanks for elaborating on your local setup. Always interesting to see
how others solve similar problems.



More information about the openssh-unix-dev mailing list