| 1 |
On 11/21/06, Jorge Almeida <jalmeida@××××××××××××.pt> wrote: |
| 2 |
> On Tue, 21 Nov 2006, Mick wrote: |
| 3 |
> >>> They are only stored in locked memory; they are never on disk |
| 4 |
> >>> unencrypted. Anyone that can read locked memory can access them, but this |
| 5 |
> >>> is very few users/processes on Linux -- and besides those same users will |
| 6 |
> >>> be able to read the key as you authenticate even if you don't use |
| 7 |
> >>> ssh-agent, as long as they time things right. |
| 8 |
> >> |
| 9 |
> >> OK, this sounds better! I posted to the gnupg-users, asking a similar |
| 10 |
> >> question about gpg-agent. I guess gpg-agent works the same way. |
| 11 |
> > |
| 12 |
> > Please post back your findings! |
| 13 |
> > |
| 14 |
> Well, no responses yet in the gnupg-users list, so there are no findings |
| 15 |
> to post! (Let's wait at least a few hours :)) |
| 16 |
> |
| 17 |
> > What happens to the /tmp/ directory & socket file after the user logs out? |
| 18 |
> > Does it get deleted by the ssh-agent shutdown script? |
| 19 |
> > |
| 20 |
> I didn't start using ssh-agent yet, but I tested it from the command |
| 21 |
> line and the directory was removed when I killed the ssh-agent process. |
| 22 |
> > I am asking this because I seem to continuously accumulate a load of gpg-agent |
| 23 |
> > directories and socket files into my /tmp. Unless of course gpg-agent works |
| 24 |
> I suppose that has to do with the agent(s) working as daemons? I don't |
| 25 |
> like that kind of setup. This is what I intend to (try to) do: |
| 26 |
> |
| 27 |
> - One fixed socket, in some dedicated directory (no /tmp, no random name |
| 28 |
> for the socket) |
| 29 |
> - The socket name as a fixed env variable, set in the shell config files |
| 30 |
> - Hence, no need to eval, etc |
| 31 |
> - No daemon (i.e. no backgrounding). Just a service supervised by |
| 32 |
> daemontools. Logs go to a directory of my choosing and if the agent |
| 33 |
> dies, it is ressurrected, and the socket (with the same name) is |
| 34 |
> recreated (of course, keys must be added, then) |
| 35 |
> - A perl script to interact with the service, just in case. |
| 36 |
> |
| 37 |
> I think this is not difficult to do, unless I grossly misunderstood |
| 38 |
> something essential. (Comments, anyone?) I just don't see the need to |
| 39 |
> run the agent as subordinate of an X session or whatever (please someone |
| 40 |
> correct me if I'm wrong!) And if I don't want the service running when |
| 41 |
> I'm not logged in, I could bring it down with the perl script (in |
| 42 |
> ~/.bash_logout, maybe?) |
| 43 |
> For gpg-agent, I'm not so sure, but I hope it can be done too. |
| 44 |
> |
| 45 |
> > on a different principle all together. My start up & shutdown scripts are |
| 46 |
> > in /etc/X11/Sessions/fluxbox. Are they correct for this task? |
| 47 |
> > ================================================ |
| 48 |
> > eval "$(gpg-agent --daemon)" |
| 49 |
> > /usr/bin/startfluxbox |
| 50 |
> > kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2` |
| 51 |
> > ================================================ |
| 52 |
> > |
| 53 |
> > Or should I have another line to 'rm -Rf /tmp/gpg-*' |
| 54 |
> > |
| 55 |
> |
| 56 |
|
| 57 |
ssh-agent /bin/sh |
| 58 |
|
| 59 |
When you exit the shell, ssh-agent exits too (after cleaning up). |
| 60 |
Running the agent as a daemon means you have to tell it when to shut |
| 61 |
down as well (how would it know when to stop?). |
| 62 |
|
| 63 |
-- |
| 64 |
Justin Patrin |
| 65 |
-- |
| 66 |
gentoo-user@g.o mailing list |
Archives