[pass] use password in remote session

Grégoire Détrez gregoire at fripost.org
Thu Apr 7 20:49:26 CEST 2016


Hello,

It's not very well documented but there is a way to do exactly what you
want providing that you are using a fairly recent version of ssh and gpg
(at least 2.1 IIRC).

First, you need to tell the gpg-agent to create a restricted socket, so
that, in case your remote host is compromised, the attacker will not be
able to do really bad stuff like exporting your private key.

In the file `.gnupg/gpg-agent.conf`, add the following line and then
restart gpg-agent:

  extra-socket ~/.gnupg/S.gpg-agent.restricted

Next, to forward the socket to the host the command is something like
this:

  ssh -R /home/user/.gnupg/S.gpg-agent:/home/localuser/.gnupg/S.gpg-agent.restricted remoteuser at myserver.example.com

I have it as an alias in my .ssh/config file so that I don't have to
remember all the options and their syntax:

  Host myserver-with-gpg
    HostName myserver.example.com
    User remoteuser
    RemoteForward /home/remoteuser/.gnupg/S.gpg-agent /home/localuser/.gnupg/S.gpg-agent.restricted
    ExitOnForwardFailure yes

Now I just have to do `ssh myserver-with-gpg` ;-)

Then you can use pass as normal and gpg on the remote machine will
communicate with your local gpg-agent through the magic of ssh.
This indeed requires pass and your password store to be available on the
remote machine.

Good luck!


/ǵ


On Wed, Apr 06, 2016 at 09:45:47AM +0200, Dominic Sonntag wrote:
> Hi,
> 
> when administrating a remote server, I login via SSH with key
> authentication. Is there a good way to use my local password store
> there, e.g. for getting a database password?
> 
> I could do (from my local machine):
> 
> ssh remoteserver mysql -u root -P$(pass remoteserver/mysql/root | head -n 1)
> 
> But is there a way to do something like this from the server's bash?
> e.g.:
> 
> local$ ssh remoteserver
> remoteserver$ mysql -u root -P$(pass remoteserver/mysql/root | head -n 1)
> 
> Maybe this could be done with something like SSH key forwarding? And
> probably the password-store needs to exist on the server, too.
> 
> Kind regards
> Dominic
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160407/557c0a52/attachment.asc>


More information about the Password-Store mailing list