This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
osx:start [2019/05/22 15:08] robm GPG |
osx:start [2020/01/30 20:36] robm [GPG with remote forwarding] |
||
---|---|---|---|
Line 905: | Line 905: | ||
====== GPG with remote forwarding ====== | ====== GPG with remote forwarding ====== | ||
+ | |||
+ | GPG Agent forwarding allows a remote system to access secrets held in your local system via an SSH tunnel. When you are not connected to the remote system, it cannot access your secrets, and if the remote system is compromised your secrets are not (since they are never stored on it). | ||
+ | |||
+ | My (initial) use-case is to allow docker on a remote host to store login my login credentials (so I can push/pull images when working), but not store secrets on that hose. THe default behaviour is to store my password in plain text, which is unacceptable. | ||
+ | |||
+ | So I opted to use [[https:// | ||
+ | |||
+ | So I want to use GPG agent forwarding to allow '' | ||
Overview (notes to follow, I hope): | Overview (notes to follow, I hope): | ||
Line 913: | Line 921: | ||
- Configure SSH to forward agent socket | - Configure SSH to forward agent socket | ||
- Disable systemd stuff which creates (unused) gpg sockets and/or configure SSHd to allow you to delete and recreate those sockets | - Disable systemd stuff which creates (unused) gpg sockets and/or configure SSHd to allow you to delete and recreate those sockets | ||
+ | |||
+ | Gotchas to document: | ||
+ | |||
+ | Invalid ioctl for device means the GPG agent was attempting to open a TTY. The agent lives on my MacBook, but the request comes from a remote system. So the remote system' | ||
https:// | https:// | ||
Line 933: | Line 945: | ||
https:// | https:// | ||
+ | Testcase: | ||
+ | |||
+ | < | ||
+ | |||
+ | Remote end: | ||
+ | |||
+ | Modify ''/ | ||
+ | |||
+ | < | ||
+ | # Allow socket files to be unlinked by incoming connections (intended to | ||
+ | # faciliate use of GPG Agent) | ||
+ | StreamLocalBindUnlink yes | ||
+ | </ | ||
+ | |||
+ | See https:// | ||
+ | ====== Number Pad ====== | ||
+ | |||
+ | I installed an application to make my iPhone act as a Number Pad: https:// | ||
+ | |||
+ | Satisfies [[https:// |