[pass] use password in remote session
Grégoire Détrez
gregoire at fripost.org
Thu Apr 7 20:49:26 CEST 2016
Hello,
It's not very well documented but there is a way to do exactly what you
want providing that you are using a fairly recent version of ssh and gpg
(at least 2.1 IIRC).
First, you need to tell the gpg-agent to create a restricted socket, so
that, in case your remote host is compromised, the attacker will not be
able to do really bad stuff like exporting your private key.
In the file `.gnupg/gpg-agent.conf`, add the following line and then
restart gpg-agent:
extra-socket ~/.gnupg/S.gpg-agent.restricted
Next, to forward the socket to the host the command is something like
this:
ssh -R /home/user/.gnupg/S.gpg-agent:/home/localuser/.gnupg/S.gpg-agent.restricted remoteuser at myserver.example.com
I have it as an alias in my .ssh/config file so that I don't have to
remember all the options and their syntax:
Host myserver-with-gpg
HostName myserver.example.com
User remoteuser
RemoteForward /home/remoteuser/.gnupg/S.gpg-agent /home/localuser/.gnupg/S.gpg-agent.restricted
ExitOnForwardFailure yes
Now I just have to do `ssh myserver-with-gpg` ;-)
Then you can use pass as normal and gpg on the remote machine will
communicate with your local gpg-agent through the magic of ssh.
This indeed requires pass and your password store to be available on the
remote machine.
Good luck!
/ǵ
On Wed, Apr 06, 2016 at 09:45:47AM +0200, Dominic Sonntag wrote:
> Hi,
>
> when administrating a remote server, I login via SSH with key
> authentication. Is there a good way to use my local password store
> there, e.g. for getting a database password?
>
> I could do (from my local machine):
>
> ssh remoteserver mysql -u root -P$(pass remoteserver/mysql/root | head -n 1)
>
> But is there a way to do something like this from the server's bash?
> e.g.:
>
> local$ ssh remoteserver
> remoteserver$ mysql -u root -P$(pass remoteserver/mysql/root | head -n 1)
>
> Maybe this could be done with something like SSH key forwarding? And
> probably the password-store needs to exist on the server, too.
>
> Kind regards
> Dominic
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160407/557c0a52/attachment.asc>
More information about the Password-Store
mailing list