This section is different from ssh-agent forwarding in SSH as gpg-agent forwarding has a broader usage, not only limited to ssh.
To use YubiKey to sign a git commit on a remote host, or signing email/decrypt files on a remote host, configure and use GPG Agent Forwarding. To ssh through another network, especially to push to/pull from GitHub using ssh, see Remote Machines (SSH Agent forwarding) for more info.
To do this, you need access to the remote machine and the YubiKey has to be set up on the host machine.
After gpg-agent forwarding, it is nearly the same as if YubiKey was inserted in the remote. Hence configurations except
gpg-agent.conf for the remote can be the same as those for the local.
gpg-agent.conf for the remote is of no use, hence
$GPG_TTY is of no use too for the remote. The mechanism is that after forwarding, remote
gpg directly communicates with
S.gpg-agent without starting
gpg-agent on the remote.
On the remote machine, edit
/etc/ssh/sshd_config to set
Optional If you do not have root access to the remote machine to edit
/etc/ssh/sshd_config, you will need to remove the socket (located at
gpgconf --list-dir agent-socket) on the remote machine before forwarding works. For example,
rm /run/user/1000/gnupg/S.gpg-agent. Further information can be found on the AgentForwarding GNUPG wiki page.
- Steps for older distributions
- Chained GPG Agent Forwarding