Hello, It's not very well documented but there is a way to do exactly what you want providing that you are using a fairly recent version of ssh and gpg (at least 2.1 IIRC).
First, you need to tell the gpg-agent to create a restricted socket, so that, in case your remote host is compromised, the attacker will not be able to do really bad stuff like exporting your private key. In the file `.gnupg/gpg-agent.conf`, add the following line and then restart gpg-agent: extra-socket ~/.gnupg/S.gpg-agent.restricted Next, to forward the socket to the host the command is something like this: ssh -R /home/user/.gnupg/S.gpg-agent:/home/localuser/.gnupg/S.gpg-agent.restricted [email protected] I have it as an alias in my .ssh/config file so that I don't have to remember all the options and their syntax: Host myserver-with-gpg HostName myserver.example.com User remoteuser RemoteForward /home/remoteuser/.gnupg/S.gpg-agent /home/localuser/.gnupg/S.gpg-agent.restricted ExitOnForwardFailure yes Now I just have to do `ssh myserver-with-gpg` ;-) Then you can use pass as normal and gpg on the remote machine will communicate with your local gpg-agent through the magic of ssh. This indeed requires pass and your password store to be available on the remote machine. Good luck! /ǵ On Wed, Apr 06, 2016 at 09:45:47AM +0200, Dominic Sonntag wrote: > Hi, > > when administrating a remote server, I login via SSH with key > authentication. Is there a good way to use my local password store > there, e.g. for getting a database password? > > I could do (from my local machine): > > ssh remoteserver mysql -u root -P$(pass remoteserver/mysql/root | head -n 1) > > But is there a way to do something like this from the server's bash? > e.g.: > > local$ ssh remoteserver > remoteserver$ mysql -u root -P$(pass remoteserver/mysql/root | head -n 1) > > Maybe this could be done with something like SSH key forwarding? And > probably the password-store needs to exist on the server, too. > > Kind regards > Dominic > _______________________________________________ > Password-Store mailing list > [email protected] > http://lists.zx2c4.com/mailman/listinfo/password-store
signature.asc
Description: PGP signature
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
