| 1 |
On Tuesday 21 November 2006 18:41, Jorge Almeida wrote: |
| 2 |
> On Tue, 21 Nov 2006, Boyd Stephen Smith Jr. wrote: |
| 3 |
> >> OK, that's what I thought. But a troian running with the normal user |
| 4 |
> >> permissions could get the keys by reading the temporary directory (not |
| 5 |
> >> by connecting to the socket). Is this right? |
| 6 |
> > |
| 7 |
> > No. There's no files in the temporary directory besides the socket. |
| 8 |
> > |
| 9 |
> >> Or are the keys protected |
| 10 |
> >> in some other way? |
| 11 |
> > |
| 12 |
> > They are only stored in locked memory; they are never on disk |
| 13 |
> > unencrypted. Anyone that can read locked memory can access them, but this |
| 14 |
> > is very few users/processes on Linux -- and besides those same users will |
| 15 |
> > be able to read the key as you authenticate even if you don't use |
| 16 |
> > ssh-agent, as long as they time things right. |
| 17 |
> |
| 18 |
> OK, this sounds better! I posted to the gnupg-users, asking a similar |
| 19 |
> question about gpg-agent. I guess gpg-agent works the same way. |
| 20 |
|
| 21 |
Please post back your findings! |
| 22 |
|
| 23 |
What happens to the /tmp/ directory & socket file after the user logs out? |
| 24 |
Does it get deleted by the ssh-agent shutdown script? |
| 25 |
|
| 26 |
I am asking this because I seem to continuously accumulate a load of gpg-agent |
| 27 |
directories and socket files into my /tmp. Unless of course gpg-agent works |
| 28 |
on a different principle all together. My start up & shutdown scripts are |
| 29 |
in /etc/X11/Sessions/fluxbox. Are they correct for this task? |
| 30 |
================================================ |
| 31 |
eval "$(gpg-agent --daemon)" |
| 32 |
/usr/bin/startfluxbox |
| 33 |
kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2` |
| 34 |
================================================ |
| 35 |
|
| 36 |
Or should I have another line to 'rm -Rf /tmp/gpg-*' |
| 37 |
-- |
| 38 |
Regards, |
| 39 |
Mick |
Archives