You are not logged in.
Hello there, Forum.
I'm currently setting up a server to automate and centralize some of my communication, including programs that need to sign/decrypt some data with one of my GPG keys.
Now the disk of that server is not encrypted, so storing my private key there without a password is out of the question. Access to the server is restricted to SSH (pubkey auth only) and whoever can physically touch the hardware.
I have created a new user on that server that has only the absolutely necessary processes/services running, minimum amount of files in $HOME and all sensitive files are encrypted and contained in that home directory.
Now some of the programs, like the MUA, expect a GPG-agent running while I'm interacting with them. For those I would like to unlock the keyring when logging in through SSH and lock the keyring again when logging out.
I assume this could be done by invoking pinentry-curses after login, configuring the agent to cache keys indefinitely and then terminate the agent in .zlogout.
But that doesn't seem like a very good solution to me; I'd have to either manually do something to prompt pinentry or somehow probe the keyring after login and then check for multiple SSH sessions on logout. Are there any "proper" ways to do this, like some Systemd service specifically designed for this?
The other case - and where I'm even less certain what is best or if it's even a good idea in the first place - are services running continuously, like a regular duplicity backup, that require access to a private key. Those would be running even when I'm not logged in through SSH. I have services like that set up on my local desktop machine and I simply let them fail silently when the keyring is not unlocked, but for a server running 24/7 that might mean longer periods of uptime without those regular backups etc.
Are there common solutions for the things I'm trying to do? Any experience and insight is welcome.
Thanks.
Last edited by lamarpavel (2016-07-04 07:46:21)
Offline
You can do this with OpenSSH>=6.7 and GnuPG>=2.1.
OpenSSH 6.7 introduced unix socket forwarding which will used to forward the gpg-agent socket. And GnuPG 2.1 got rid of the secring.gpg delegating private key management to gpg-agent. This avoids having to keep the private key on the remote machine.
First you'll want to set up an extra-socket on the local client. Add this line to your gpg-agent.conf
extra-socket /path/to/extra-socketRestart your gpg-agent
pkill gpg-agent
gpg-connect-agent /byeOpen an ssh connection to the remote server and forward the servers gpg-agent socket back to the client (make sure gpg-agent isn`t already running on the remote)
ssh -R ${GNUPGHOME:-~/.gnupg}/S.gpg-agent:/path/to/extra-socket remote-serverNote: GNUPGHOME refers to the home folder of gnupg on the remote. If it is different from the local GNUPGHOME, you'll have to adapt this.
You should now be able to sign/encrypt on the remote server, provided it has your public key in the keyring.
Note: You may need to add a graphical pinentry (qt,gtk) to your clients gpg-agent.conf, I'm not sure the curses one will work.
By default, OpenSSH will not remove the the forwarded socket on the server upon closing the connection. This will prevent OpenSSH to create the socket during the next connection. If you have access to the servers sshd_config you may add the following line
StreamLocalBindUnlink yesor remove it in you logout script (.zlogout, .bash_logout, ...)
rm ${GNUPGHOME:-~/gnupg}/S.gpg-agentOffline
Wow, that is far better than what I could have hoped for. Thanks a lot for the insight.
The socket is now successfully created via the SSH connection after some trial and error. I have ensured that no gpg-agent is running on the remote server when creating the socket, but as soon as I do something like gpg --decrypt or gpg --list-secret-keys, an agent is spawned and my local agent on the client side is not queried (as far as I can tell). So it's not working just yet.
I think it has something to do with the ~/.gnupg/S.gpg-agent not being used by gpg on the remote server. Because neither on my local client nor on any other of my setups is that socket created when the gpg-agent is started and used, so I am probably missing some configuration to specifically target that socket. Maybe export some env like for the SSH agent?
Again, thanks so much for the help so far.
Last edited by lamarpavel (2016-07-01 09:47:13)
Offline
Alright, I got it working.
First of all, I needed to create the socket on the remote in /run/user/<id>/gnupg/S.gpg-agent instead of /home/<user>/.gnupg/S.gpg-agent, and secondly my public key needed to be in the remote keyring with full ownertrust "[ultimate]". The gpg.conf on the remote does _not_ have "use-agent" set and, or any other settings really and no agent is running on the remote at any point in time.
Thanks again for your help!
Last edited by lamarpavel (2016-07-03 11:21:50)
Offline