Merge pull request #126 from vorburger/patch-2

clarify that SSH_AUTH_SOCK should only be set locally, not on the remote server

1 files changed, 5 insertions, 2 deletions

diff --git a/README.md b/README.md
index 647993d..c6e64bd 100644
--- a/README.md
+++ b/README.md
@@ -1592,7 +1592,7 @@ export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
 gpg-connect-agent updatestartuptty /bye > /dev/null
 ```
 
-On some systems, you may need to use the following instead:
+On modern systems, you can use the following instead, as `gpgconf --list-dirs agent-ssh-socket` will automatically set `SSH_AUTH_SOCK` to the correct value; and is therefore typically better than hard-coding to `run/user/$UID/gnupg/S.gpg-agent.ssh`, if available:
 
 ```console
 export GPG_TTY="$(tty)"
@@ -1600,6 +1600,9 @@ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
 gpgconf --launch gpg-agent
 ```
 
+Note that `SSH_AUTH_SOCK` normally only needs to be set on the *local* laptop (workstation), where the YubiKey is plugged in.  On the *remote* server that we SSH into, `ssh` will automatically set `SSH_AUTH_SOCK` to something like `/tmp/ssh-mXzCzYT2Np/agent.7541` when we connect.  We therefore do **NOT** manually set `SSH_AUTH_SOCK` on the server.  (Doing so would break [SSH Agent Forwarding](#remote-machines-agent-forwarding).)
+
+
 ## Copy public key
 
 **Note** It is *not* necessary to import the corresponding GPG public key in order to use SSH.
@@ -1853,7 +1856,7 @@ RemoteForward <remote ssh socket path> /tmp/S.weasel-pageant
 
 #### Remote host configuration
 
-Add the following to the shell rc file:
+You may have to add the following to the shell rc file:  _(On Linux, this is only required on the laptop/workstation where the YubiKey is plugged in, and **NOT** on the remote host server that you connect to; in fact at least on some Linux distributions, changing SSH_AUTH_SOCK on the server breaks agent forwarding.)_
 
 ```
 export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)