GPG Agent SSH Forward Pinentry


I have GPG agent forwarding via SSH RemoteForward working up to a point.

I can list my private and public keys on the remote host.

If I try to decrypt a file remotely, the PIN is prompted for but the text is stepped, garbled and the passphrase prompt echoes the passphrase (at least several random chars).

I can skip the forwarding and SSH to said remote host and start an agent, use the local keyring and PIN entry works fine. Similarly, I can SSH from the remote host (VM) back into MacOS and the same local keyring PIN entry works.

It’s ONLY the forwarding that breaks PIN entry. I have exported "$ GPG_TTY" and do "gpg-connect-agent UPDATESTARTUPTTY /bye" before SSH so the prompt is in the correct tty. That part does work as I’ve experimented with and without said vars.

Any help is greatly appreciated as I’m out of ideas. Aah, after writing I found the below, exact same problem!

https://unix.stackexchange.com/questions/325021/intermingled-input-when-using-local-gpg-agent-from-remote-site

  • MacOS Catalina to CentOS 8.2.2004
  • GPG 2.2.9 on CentOS8
  • GPG 2.2.21 on MacOS installed via homebrew
  • Pinentry 1.1.0 on MacOS and CentOS8
102-182-155-35 :: ~ % cat .ssh/config Match host * exec "gpg-connect-agent UPDATESTARTUPTTY /bye" Host centos8.ephemeric.local centos8   Hostname 192.168.99.57   ForwardAgent yes   StreamLocalBindUnlink yes   RemoteForward /run/user/1000/gnupg/S.gpg-agent /Users/robert/.gnupg/S.gpg-agent.extra 
102-182-155-35 :: ~ % cat .gnupg/gpg-agent.conf pinentry-program /usr/local/bin/pinentry-tty pinentry-timeout 10 debug-level guru allow-preset-passphrase default-cache-ttl 43200 default-cache-ttl-ssh 43200 max-cache-ttl 43200 max-cache-ttl-ssh 43200 
centos8 :: ~ % gpg -d tmp/slobwashere.gpg Note: Request from a remote site.                                   Please enter the passphrase to unlock the OpenPGP secret key:                                                                                               "Robert Gabriel (Slob) <ephemeric@icloud.com>"    4096-bit RSA key, ID DC141A1E1314AB17,                                          created 2018-07-23 (main key ID 458EF10593DA8C1D).                                                                                             Passphrase:                                                                                                        gpg: encrypted with 4096-bit RSA key, ID DC141A1E1314AB17, created 2018-07-23       "Robert Gabriel (Slob) <ephemeric@icloud.com>" gpg: public key decryption failed: Timeout gpg: decryption failed: No secret key