From 7eed0ccef8a817a013e7397574df198f5890c811 Mon Sep 17 00:00:00 2001
From: Wheest <perry@gibsonic.org>
Date: Mon, 7 Jan 2019 21:38:46 +0000
Subject: [PATCH 1/4] Improvements to Agent Forwarding section, following
 feedback in: https://github.com/drduh/YubiKey-Guide/issues/85

---
 README.md | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index f558413..7f7a4c2 100644
--- a/README.md
+++ b/README.md
@@ -1467,19 +1467,35 @@ StreamLocalBindUnlink yes
 
 # Remote Machines (agent forwarding)
 
-If you want to use your YubiKey to sign a git commit on a remote machine, or ssh through another layer, then this is possible using "Agent Forwarding".  Assuming that you have your YubiKey setup on your host machine.
+If you want to use your YubiKey to sign a git commit on a remote machine, or ssh through another layer, then this is possible using "Agent Forwarding".  To do this, you need to already have shell access to your remote machime, and your YubiKey setup on your host machine.
 
-To enable agent forwarding, ssh using the `-A` flag:
+- First, on your host machine run:
 
 ```
-$ ssh -A user@remote 
+$ gpgconf --list-dirs agent-extra-socket
 ```
 
-Or add the following to your ssh config file:
+This should return a path to your agent-extra-socket, which should look similar to `/run/user/1000/gnupg/S.gpg-agent.extra`.
+
+- Next, find the agent socket on your **remote** machine:
+
+```
+$ gpgconf --list-dirs agent-socket
+```
+
+This should return a path such as `/run/user/1000/gnupg/S.gpg-agent`.
+
+- On your remote machine, edit the file `/etc/ssh/sshd_config`, so that option `StreamLocalBindUnlink` is set to `StreamLocalBindUnlink yes yes`
+
+- Agent forwarding should now be possible.
+
+- To enable agent forwarding, add the following to your ssh config file (your agent sockets may be different):
 
 ```
 Host remote
   ForwardAgent yes
+  RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra
+  # RemoteForward [remote socket] [local socket]
 ```
 
 You should then be able to use your YubiKey as if it were connected to the remote machine.
@@ -1538,4 +1554,4 @@ You should then be able to use your YubiKey as if it were connected to the remot
 * https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
 * https://www.hanselman.com/blog/HowToSetupSignedGitCommitsWithAYubiKeyNEOAndGPGAndKeybaseOnWindows.aspx
 * https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/
-
+* https://mlohr.com/gpg-agent-forwarding/

From b44f6131efe1cac4882197d9a42ee1726c77bf00 Mon Sep 17 00:00:00 2001
From: Wheest <perry@gibsonic.org>
Date: Mon, 7 Jan 2019 21:58:14 +0000
Subject: [PATCH 2/4] Further amendments to Agent Forwarding

---
 README.md | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 7f7a4c2..bfd0ed5 100644
--- a/README.md
+++ b/README.md
@@ -1485,11 +1485,17 @@ $ gpgconf --list-dirs agent-socket
 
 This should return a path such as `/run/user/1000/gnupg/S.gpg-agent`.
 
-- On your remote machine, edit the file `/etc/ssh/sshd_config`, so that option `StreamLocalBindUnlink` is set to `StreamLocalBindUnlink yes yes`
+- On your remote machine, edit the file `/etc/ssh/sshd_config`, so that option `StreamLocalBindUnlink` is set to `StreamLocalBindUnlink yes`
 
-- Agent forwarding should now be possible.
+- _(optional)_If you do not have root access to the remote machine to edit `/etc/ssh/sshd_config`, you will need to remove the socket on the remote machine before forwarding works.  For example, `rm /run/user/1000/gnupg/S.gpg-agent`.  Further information can be found on the [AgentForwarding GNUPG wiki page](https://wiki.gnupg.org/AgentForwarding).
 
-- To enable agent forwarding, add the following to your ssh config file (your agent sockets may be different):
+- On your local machine, you need to copy your public keyring to your remote machine
+
+```
+$ scp .gnupg/pubring.kbx remote:~/.gnupg/
+```
+
+- Finally, to enable agent forwarding for a given machine, add the following to your ssh config file (your agent sockets may be different):
 
 ```
 Host remote
@@ -1500,6 +1506,16 @@ Host remote
 
 You should then be able to use your YubiKey as if it were connected to the remote machine.
 
+If you're still having problems, it may be necessary to edit your `gpg-agent.conf` file on both your remote and local machines to add the following information.
+
+```
+enable-ssh-support
+pinentry-program /usr/bin/pinentry-curses
+default-cache-ttl 60
+max-cache-ttl 120
+extra-socket /run/user/1000/gnupg/S.gpg-agent.extra
+```
+
 # Troubleshooting
 
 - If you don't understand some option - read `man gpg`.

From c28b33372c03f42f618aaef08298ae6720308de5 Mon Sep 17 00:00:00 2001
From: Wheest <perry@gibsonic.org>
Date: Mon, 7 Jan 2019 22:00:27 +0000
Subject: [PATCH 3/4] Moved Agent Forwarding section to before the WSL one

---
 README.md | 101 +++++++++++++++++++++++++++---------------------------
 1 file changed, 51 insertions(+), 50 deletions(-)

diff --git a/README.md b/README.md
index bfd0ed5..a3b9a75 100644
--- a/README.md
+++ b/README.md
@@ -1356,6 +1356,57 @@ $ ssh-add -E md5 -l
 
 When using the key `pinentry` will be invoked to request the key's passphrase. The passphrase will be cached for up to 10 minutes idle time between uses, to a maximum of 2 hours.
 
+## Remote Machines (agent forwarding)
+
+If you want to use your YubiKey to sign a git commit on a remote machine, or ssh through another layer, then this is possible using "Agent Forwarding".  To do this, you need to already have shell access to your remote machime, and your YubiKey setup on your host machine.
+
+- First, on your host machine run:
+
+```
+$ gpgconf --list-dirs agent-extra-socket
+```
+
+This should return a path to your agent-extra-socket, which should look similar to `/run/user/1000/gnupg/S.gpg-agent.extra`.
+
+- Next, find the agent socket on your **remote** machine:
+
+```
+$ gpgconf --list-dirs agent-socket
+```
+
+This should return a path such as `/run/user/1000/gnupg/S.gpg-agent`.
+
+- On your remote machine, edit the file `/etc/ssh/sshd_config`, so that option `StreamLocalBindUnlink` is set to `StreamLocalBindUnlink yes`
+
+- _(optional)_If you do not have root access to the remote machine to edit `/etc/ssh/sshd_config`, you will need to remove the socket on the remote machine before forwarding works.  For example, `rm /run/user/1000/gnupg/S.gpg-agent`.  Further information can be found on the [AgentForwarding GNUPG wiki page](https://wiki.gnupg.org/AgentForwarding).
+
+- On your local machine, you need to copy your public keyring to your remote machine
+
+```
+$ scp .gnupg/pubring.kbx remote:~/.gnupg/
+```
+
+- Finally, to enable agent forwarding for a given machine, add the following to your ssh config file (your agent sockets may be different):
+
+```
+Host remote
+  ForwardAgent yes
+  RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra
+  # RemoteForward [remote socket] [local socket]
+```
+
+You should then be able to use your YubiKey as if it were connected to the remote machine.
+
+If you're still having problems, it may be necessary to edit your `gpg-agent.conf` file on both your remote and local machines to add the following information.
+
+```
+enable-ssh-support
+pinentry-program /usr/bin/pinentry-curses
+default-cache-ttl 60
+max-cache-ttl 120
+extra-socket /run/user/1000/gnupg/S.gpg-agent.extra
+```
+
 ## GitHub
 
 You can use YubiKey to sign GitHub commits and tags. It can also be used for GitHub SSH authentication, allowing you to push, pull, and commit without a password.
@@ -1465,56 +1516,6 @@ StreamLocalBindUnlink yes
 
 **Note** Agent forwarding may be chained through multiple hosts - just follow the same [protocol](#remote-host-configuration) to configure each host.
 
-# Remote Machines (agent forwarding)
-
-If you want to use your YubiKey to sign a git commit on a remote machine, or ssh through another layer, then this is possible using "Agent Forwarding".  To do this, you need to already have shell access to your remote machime, and your YubiKey setup on your host machine.
-
-- First, on your host machine run:
-
-```
-$ gpgconf --list-dirs agent-extra-socket
-```
-
-This should return a path to your agent-extra-socket, which should look similar to `/run/user/1000/gnupg/S.gpg-agent.extra`.
-
-- Next, find the agent socket on your **remote** machine:
-
-```
-$ gpgconf --list-dirs agent-socket
-```
-
-This should return a path such as `/run/user/1000/gnupg/S.gpg-agent`.
-
-- On your remote machine, edit the file `/etc/ssh/sshd_config`, so that option `StreamLocalBindUnlink` is set to `StreamLocalBindUnlink yes`
-
-- _(optional)_If you do not have root access to the remote machine to edit `/etc/ssh/sshd_config`, you will need to remove the socket on the remote machine before forwarding works.  For example, `rm /run/user/1000/gnupg/S.gpg-agent`.  Further information can be found on the [AgentForwarding GNUPG wiki page](https://wiki.gnupg.org/AgentForwarding).
-
-- On your local machine, you need to copy your public keyring to your remote machine
-
-```
-$ scp .gnupg/pubring.kbx remote:~/.gnupg/
-```
-
-- Finally, to enable agent forwarding for a given machine, add the following to your ssh config file (your agent sockets may be different):
-
-```
-Host remote
-  ForwardAgent yes
-  RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra
-  # RemoteForward [remote socket] [local socket]
-```
-
-You should then be able to use your YubiKey as if it were connected to the remote machine.
-
-If you're still having problems, it may be necessary to edit your `gpg-agent.conf` file on both your remote and local machines to add the following information.
-
-```
-enable-ssh-support
-pinentry-program /usr/bin/pinentry-curses
-default-cache-ttl 60
-max-cache-ttl 120
-extra-socket /run/user/1000/gnupg/S.gpg-agent.extra
-```
 
 # Troubleshooting
 

From ee71716ed7bc40ee32e77192bad6ec7e21a62777 Mon Sep 17 00:00:00 2001
From: wheest <wheest@delta>
Date: Sat, 12 Jan 2019 17:05:21 +0000
Subject: [PATCH 4/4] Added pull request suggestions

---
 README.md | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index a3b9a75..82ad7e9 100644
--- a/README.md
+++ b/README.md
@@ -1358,15 +1358,17 @@ When using the key `pinentry` will be invoked to request the key's passphrase. T
 
 ## Remote Machines (agent forwarding)
 
-If you want to use your YubiKey to sign a git commit on a remote machine, or ssh through another layer, then this is possible using "Agent Forwarding".  To do this, you need to already have shell access to your remote machime, and your YubiKey setup on your host machine.
+If you want to use your YubiKey to sign a git commit on a remote machine, or ssh through another layer, then this is possible using "Agent Forwarding".  This section should help you setup GPG and SSH agent forwarding.
 
-- First, on your host machine run:
+To do this, you need to already have shell access to your remote machime, and your YubiKey setup on your host machine.
+
+- First, on your local host machine run:
 
 ```
 $ gpgconf --list-dirs agent-extra-socket
 ```
 
-This should return a path to your agent-extra-socket, which should look similar to `/run/user/1000/gnupg/S.gpg-agent.extra`.
+This should return a path to your agent-extra-socket, which should look similar to `/run/user/1000/gnupg/S.gpg-agent.extra`, though on older linux distros (and macs), it may be `/home/<user>/.gnupg/S/gpg-agent.extra`.
 
 - Next, find the agent socket on your **remote** machine:
 
@@ -1380,16 +1382,18 @@ This should return a path such as `/run/user/1000/gnupg/S.gpg-agent`.
 
 - _(optional)_If you do not have root access to the remote machine to edit `/etc/ssh/sshd_config`, you will need to remove the socket on the remote machine before forwarding works.  For example, `rm /run/user/1000/gnupg/S.gpg-agent`.  Further information can be found on the [AgentForwarding GNUPG wiki page](https://wiki.gnupg.org/AgentForwarding).
 
-- On your local machine, you need to copy your public keyring to your remote machine
+
+- Now you need to import your public keys to the remote machine. This can be done by fetching from a keyserver.  Here we show how to copy your public keyring.  On your local machine, you need to copy your public keyring to your remote machine
 
 ```
 $ scp .gnupg/pubring.kbx remote:~/.gnupg/
 ```
 
-- Finally, to enable agent forwarding for a given machine, add the following to your ssh config file (your agent sockets may be different):
+- Finally, to enable agent forwarding for a given machine, add the following to your local machine's ssh config file `~/.ssh/config` (your agent sockets may be different):
 
 ```
-Host remote
+Host 
+  Hostname your-domain
   ForwardAgent yes
   RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra
   # RemoteForward [remote socket] [local socket]
@@ -1402,8 +1406,6 @@ If you're still having problems, it may be necessary to edit your `gpg-agent.con
 ```
 enable-ssh-support
 pinentry-program /usr/bin/pinentry-curses
-default-cache-ttl 60
-max-cache-ttl 120
 extra-socket /run/user/1000/gnupg/S.gpg-agent.extra
 ```