Gentoo Archives: gentoo-user

From: Jorge Almeida <jalmeida@××××××××××××.pt>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] ssh-agent
Date: Tue, 21 Nov 2006 23:29:37
Message-Id: Pine.LNX.4.64.0611212254410.13598@jmaa.math.ist.utl.pt
In Reply to: Re: [gentoo-user] ssh-agent by Mick
1 On Tue, 21 Nov 2006, Mick wrote:
2 >>> They are only stored in locked memory; they are never on disk
3 >>> unencrypted. Anyone that can read locked memory can access them, but this
4 >>> is very few users/processes on Linux -- and besides those same users will
5 >>> be able to read the key as you authenticate even if you don't use
6 >>> ssh-agent, as long as they time things right.
7 >>
8 >> OK, this sounds better! I posted to the gnupg-users, asking a similar
9 >> question about gpg-agent. I guess gpg-agent works the same way.
10 >
11 > Please post back your findings!
12 >
13 Well, no responses yet in the gnupg-users list, so there are no findings
14 to post! (Let's wait at least a few hours :))
15
16 > What happens to the /tmp/ directory & socket file after the user logs out?
17 > Does it get deleted by the ssh-agent shutdown script?
18 >
19 I didn't start using ssh-agent yet, but I tested it from the command
20 line and the directory was removed when I killed the ssh-agent process.
21 > I am asking this because I seem to continuously accumulate a load of gpg-agent
22 > directories and socket files into my /tmp. Unless of course gpg-agent works
23 I suppose that has to do with the agent(s) working as daemons? I don't
24 like that kind of setup. This is what I intend to (try to) do:
25
26 - One fixed socket, in some dedicated directory (no /tmp, no random name
27 for the socket)
28 - The socket name as a fixed env variable, set in the shell config files
29 - Hence, no need to eval, etc
30 - No daemon (i.e. no backgrounding). Just a service supervised by
31 daemontools. Logs go to a directory of my choosing and if the agent
32 dies, it is ressurrected, and the socket (with the same name) is
33 recreated (of course, keys must be added, then)
34 - A perl script to interact with the service, just in case.
35
36 I think this is not difficult to do, unless I grossly misunderstood
37 something essential. (Comments, anyone?) I just don't see the need to
38 run the agent as subordinate of an X session or whatever (please someone
39 correct me if I'm wrong!) And if I don't want the service running when
40 I'm not logged in, I could bring it down with the perl script (in
41 ~/.bash_logout, maybe?)
42 For gpg-agent, I'm not so sure, but I hope it can be done too.
43
44 > on a different principle all together. My start up & shutdown scripts are
45 > in /etc/X11/Sessions/fluxbox. Are they correct for this task?
46 > ================================================
47 > eval "$(gpg-agent --daemon)"
48 > /usr/bin/startfluxbox
49 > kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2`
50 > ================================================
51 >
52 > Or should I have another line to 'rm -Rf /tmp/gpg-*'
53 >
54
55 --
56 Jorge Almeida
57 --
58 gentoo-user@g.o mailing list

Replies

Subject Author
Re: [gentoo-user] ssh-agent Justin Patrin <papercrane@×××××.com>