On Thu, 6 Nov 2014 14:25, [email protected] said: > How would this be implemented? I can think of two options: a TCP port, > forwarded by PuTTY, and an SSH subsystem.
OpenSSH has socket forwarding and that is what I was thinking about. Similar to a subsystem it uses a channel on the ssh connection for the transport. Assuming that OpenSSH is running on the server, what we need is a limited client side implementation of socket forwaring in Putty; Putty would then translate that to an Windows IPC mechnism (e.g. local TCP+nonce) and gpg-agent can immediatley use it. In fact I plan to add an option to gpg-agent to open a second listing socket which can be used for such forwarding. Connection via that socket would be restricted in that not all gpg-agent features are available (e.g. no passphrase cache). > A TCP port is accessible by anyone. Even when you restrict it to > localhost, this exposes it to any other user on a multi-user system. Only to those who have the permissions to switch the socket into promiscuous mode to run tcpdump. That is usually only root. Even on Windows other user can't tap an established TCP connection. To avoid that other users connect to a listening socket we use a nonce taken from a file - that file is protected by the usual file system permissions. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
