Quantcast

gpg-agent with OpenSSH on Windows

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

gpg-agent with OpenSSH on Windows

Gerhard Poul
Hi,

I've recently started using a Windows notebook at work and wanted to take this as an opportunity to use gpg-agent because I'm planning to use a YubiKey as well to sign future git commits.

After reading about Microsoft's OpenSSH Port beta [1] that works from PowerShell I decided to try using it instead of PuTTY, but the ssh-add was not able to connect to gpg-agent.

To figure out why I learned more than I wanted to know, but I guess that's how one usually gets involved in projects ;-)

I opened an issue [2] and it seems that ssh-add has been adapted to use named pipes on Windows, wheres that is not the mechanism that gpg-agent currently uses.

If my understanding of what I read over the last days is correct, then gpg-agent on Windows only works with enable-putty-support, but there is currently no client that works with enable-ssh-support and the enable-ssh-support does not currently use named pipes on Windows.

Now I'd like to confirm with you whether my understanding is correct and whether there are any current plans in regards to using named pipes on Windows. If the enable-ssh-support is currently not working on Windows with any client anyway, then that could be ported to use the same mechanism that [1] uses and no functionality would be harmed.

Is there currently any ongoing work in this direction? Has something like this already been discussed?

Regards,
Gerhard

_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent with OpenSSH on Windows

Werner Koch
On Thu, 20 Apr 2017 09:15, [hidden email] said:

> I opened an issue [2] and it seems that ssh-add has been adapted to use
> named pipes on Windows, wheres that is not the mechanism that gpg-agent

Arghh.  Named Pipes under Windows are very hard to use as an emulation
for local sockets.  The problem is that there is no mechanism to make
sure that they work only on the local machine.  With the right
credentials you can use them remotely - which is a bad idea to implement
a local (ie. non-remote) IPC.

Frankly, OpenSSH should not use that and resort to our or the new Cygwin
way of emulating local sockets.

On Unix we use plain local sockets.  On Windows we listen on 127.0.0.1
for a TCP connection; the port and a cookie is given in a file created
by the server and thus the connection is secured using file permissions.
Cygwin does something very similar.

Putty (and GnuPG's pageant support) support wraps the communication into
Windows messages.


Shalom-Salam,

   Werner


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

attachment0 (199 bytes) Download Attachment
Loading...