Hi Raphaël, On Wed, Mar 29, 2006 at 11:26:08AM +0200, Raphaël Poss wrote: > People who are serious about security would probably like to have the > crypto done by the smartcard itself, or at least the computer they are > sitting in front of. Therefore a better setup would be to have the > encrypted data transmitted from your distant ssh host to your local host > for decryption, and decrypted data sent back to your ssh host for use > (or just viewed locally).
Isn't that basically what gpg-agent does already for ssh authentication? If I sit at machine A with a smartcard plugged in, connect to machine B with an authentication key from the smartcard, and then try to connect from machine B to machine C, that same authentication key on the smartcard will be available despite it not being stored on either machine B or machine C. The request will be tunneled by gpg-agent over ssh, and the password prompt and cryptographic interaction with the key will happen locally on machine A. Am I misunderstanding how that works? If not, I'm just asking for the same ability to forward access to keys over ssh but use them remotely (such as on machine B or C) for any GPG signing and decryption, as well as ssh authentication. If I understand this right, the crypto happens on the smartcard in any case. > 1. connect to your remote ssh host using remote port forwarding, with > -R4242:localhost:4242 [...] > while true; do nc -l 4242 | gpg ; done [...] > 3. configure your remote mutt to send the encrypted data to port 4242 on > the same host, so that it gets forwarded back via your ssh connection. Sometimes I use gpg remotely on the command line, and even within mutt, there are many different commands it might want to issue to gpg. There are also other programs I might want to start using, like a console password manager, that would also want to access the gpg key. This seems like a very clumsy way to do what gpg-agent already does very well on the local machine for signing/decrypting/authenticating and on remote machines for authenticating. I just want to equalize its capabilities on remote machines with those on local machines, while keeping the private-key crypto local to the smartcard as it already is with gpg-agent. Still, thanks for giving a first stab at a solution. Hopefully we'll be able to figure out something, whether or not involving code changes. - Jimmy Kaplowitz [EMAIL PROTECTED] _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users