Remote PGP and ssh ?
With the Dutch government enforcing new laws on storing communication information there is a broader need for people to start using PGP to encrypt their e-mails.
I must admit that I haven’t been using it for a long while now. The main reason is that I often e-mail from a server that I ssh into from my laptop. I am not the administrator of that machine. That is the main reason that I don’t want to store my private keys localy on that server. I want them only on my laptop (or better, on an encrypted USB disk in my laptop).
But how to sign and encrypt mails if you haven’t got the keys on the server? What I want is something like the ssh-agent forwarding.
I first thought that this should not be that hard to accomplish. A bit of searching on the web did not come up with the information that I needed. Only few more people seem to want what I want. Or the solution is so obvious that I’ve missed it.
$ echo ${GPG_AGENT_INFO} /tmp/seahorse-XqeiA6/S.gpg-agent:4369:1This unix socket does the trick after you’ve put use-agent in your ~/.gnupg/gpg.conf.
$ file /tmp/seahorse-XqeiA6/S.gpg-agent
/tmp/seahorse-XqeiA6/S.gpg-agent: socket
However, as soon as I log into my mailserver I loose the connection to this socket. The other server cannot reach it.
There are several ways to make sure that you can talk to the socket from the other server:
* Patch your ssh with the OpenSSH Unix Domain Socket Forwarding patch. This allows you to forward a socket to another server.
The downside of the above solution is that you’ll need to keep running a patched version of ssh. I don’t want that so I’ve searched further:
* On http://snafu.priv.at/interests/crypto/remotegpg.html Alexander Zangerl describes a way to use the kernel key storage system.
The third solution I’ve seen mentioned is using the socat utility in combination with ssh portforwarding. The trick is:
* Connect the socket of ${GPG_AGENT_INFO} to a network port of the localhost.
* RemoteForward this port to the server
* As the server does not want to encrypt via a network port use socat on the server again to connect the tcp port to a new socket.
* Point ${GPG_AGENT_INFO} to that socket (and make sure that that gpg is configured to use gpg-agent) to encrypt and sign stuff.
My guess was that the last option is the most straightforward and should not be too hard to implement.
* socat tcp-listen:3334,reuseaddr,fork gopen:${GPG_AGENT_INFO%%:*},append
* ssh -R 3334:localhost:3334 mailserver
* socat -d -d unix-listen:~/.socket.gpg,append tcp4-connect:localhost:3334
* export GPG_AGENT_INFO=~/.socket.gpg
I would expect the above scenario to work, but I got the message:
gpg: malformed GPG_AGENT_INFO environment variable
Apparently the GPG_AGENT_INFO environment variable needs to hold some semicolons. And socat won’t create a socket containing semicolons. 
Another option I see is to start using sshfs for access to the keys. And, what might also work, is to use specific authorized ssh-keys.
So far I haven’t been successful and I’d welcome any suggestions on the implementation.