1 |
On Tue, 21 Nov 2006, Mick wrote: |
2 |
>>> They are only stored in locked memory; they are never on disk |
3 |
>>> unencrypted. Anyone that can read locked memory can access them, but this |
4 |
>>> is very few users/processes on Linux -- and besides those same users will |
5 |
>>> be able to read the key as you authenticate even if you don't use |
6 |
>>> ssh-agent, as long as they time things right. |
7 |
>> |
8 |
>> OK, this sounds better! I posted to the gnupg-users, asking a similar |
9 |
>> question about gpg-agent. I guess gpg-agent works the same way. |
10 |
> |
11 |
> Please post back your findings! |
12 |
> |
13 |
Well, no responses yet in the gnupg-users list, so there are no findings |
14 |
to post! (Let's wait at least a few hours :)) |
15 |
|
16 |
> What happens to the /tmp/ directory & socket file after the user logs out? |
17 |
> Does it get deleted by the ssh-agent shutdown script? |
18 |
> |
19 |
I didn't start using ssh-agent yet, but I tested it from the command |
20 |
line and the directory was removed when I killed the ssh-agent process. |
21 |
> I am asking this because I seem to continuously accumulate a load of gpg-agent |
22 |
> directories and socket files into my /tmp. Unless of course gpg-agent works |
23 |
I suppose that has to do with the agent(s) working as daemons? I don't |
24 |
like that kind of setup. This is what I intend to (try to) do: |
25 |
|
26 |
- One fixed socket, in some dedicated directory (no /tmp, no random name |
27 |
for the socket) |
28 |
- The socket name as a fixed env variable, set in the shell config files |
29 |
- Hence, no need to eval, etc |
30 |
- No daemon (i.e. no backgrounding). Just a service supervised by |
31 |
daemontools. Logs go to a directory of my choosing and if the agent |
32 |
dies, it is ressurrected, and the socket (with the same name) is |
33 |
recreated (of course, keys must be added, then) |
34 |
- A perl script to interact with the service, just in case. |
35 |
|
36 |
I think this is not difficult to do, unless I grossly misunderstood |
37 |
something essential. (Comments, anyone?) I just don't see the need to |
38 |
run the agent as subordinate of an X session or whatever (please someone |
39 |
correct me if I'm wrong!) And if I don't want the service running when |
40 |
I'm not logged in, I could bring it down with the perl script (in |
41 |
~/.bash_logout, maybe?) |
42 |
For gpg-agent, I'm not so sure, but I hope it can be done too. |
43 |
|
44 |
> on a different principle all together. My start up & shutdown scripts are |
45 |
> in /etc/X11/Sessions/fluxbox. Are they correct for this task? |
46 |
> ================================================ |
47 |
> eval "$(gpg-agent --daemon)" |
48 |
> /usr/bin/startfluxbox |
49 |
> kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2` |
50 |
> ================================================ |
51 |
> |
52 |
> Or should I have another line to 'rm -Rf /tmp/gpg-*' |
53 |
> |
54 |
|
55 |
-- |
56 |
Jorge Almeida |
57 |
-- |
58 |
gentoo-user@g.o mailing list |