ssh: using gpg-agent as ssh-agent

[reinerh]

I'm using gpg-agent as ssh-agent, which has unix sockets in ~/.gnupg/ to talk to it.
With the current default profiles I'm not able to firejail ssh and use the gpg-agent, as ~/.gnupg is blacklisted (via disable-common.inc).
It works if I noblacklist ${HOME}/.gnupg in for example allow-ssh.inc.

I'm wondering if this should be added to our ssh profile (or include) or if it's too much an edge case?

[glitsj16]

Do you need access to everything in ${HOME}/.gnupg for this use case? Or just to those unix sockets? I see we already have whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh in ssh.profile, so there already is some connection between the two. If we add a comment to allow-ssh.inc informing users it can be hardened by blacklisting ${HOME}/.gnupg if they see no need for it I would be ok with it. Difficult one to judge really, before you mentioned it I wasn't aware of the possibility :-)

[reinerh]

I think only access to the (one?) unix socket is required.
But I guess it's too much of a niche use-case to allow access to ~/.gnupg.