[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gpg-agent?



also sprach Joey Hess <joeyh@debian.org> [2002.11.28.0441 +0100]:
> By this I assume you mean it does something like store the passphrase in
> non-swappable memory and then when requested use some form of IPC to
> feed it into a /usr/bin/gpg process. I assume it hardcodes the path,
> which would prevent you (or someone who has access to your account) from
> creating a ~/bin/gpg that asks it for the passphrase and dumps it to
> stdout.

I don't know the details.

> That would still let root replace /usr/bin/gpg with such a program
> though.

root could replace ssh-add with a trojan to get your SSH passphrase.
if you don't trust root, don't use the system.

> So something like this is of some value, but only manages to narrow
> the window that lets someone who has temporary access to, say,
> a laptop with an agent running and a passphrase entered, to such
> a laptop on which you have used sudo in the last 15 minutes. Correct
> me if I'm wrong.

You are right. The same applies to everything else though.

> q-agent is a PITA to get working with stuff like mutt though, so I do
> look forward to using gpg-agent. I just think I'd guard my laptop with
> my mail signing key on it about the same no matter which agent I had
> running.

Right.

-- 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
NOTE: The public PGP keyservers are broken!
Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc

Attachment: pgp1Q3czi3m0o.pgp
Description: PGP signature


Reply to: