View previous topic :: View next topic |
Author |
Message |
disperato Tux's lil' helper
Joined: 27 Apr 2004 Posts: 120
|
Posted: Tue Mar 25, 2014 12:26 pm Post subject: [SOLVED] security risk with gpg |
|
|
gpg is having a very unespected and alarming behaviour.
Everything is ok in terminal (no X):
Code: | gpg -c mytextfile #propmt twice for password and creates an encrypted version, mytextfile.gpg
rm mytextfile #removes the unencrypted version
gpg mytextfile.gpg #prompts for password and unencrypts the file if password is correct |
Something is utterly wrong in xterm (xfce4+gtk...):
Code: | gpg -c mytextfile #propmt twice for password and creates an encrypted version, mytextfile.gpg
rm mytextfile #removes the unencrypted version
gpg mytextfile.gpg #DOES NOT ASK for any password! And UNENCRYPTS all the same, as if a password had been given |
output of the last command:
Code: | gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected |
It's already a big mistake having gpg password prompt in a gtk pop-up window, but having our files unencrypted without any password is, IMHO, very bad. Or am I doing something wrong?
affected: app-crypt/gnupg-2.0.22 _________________ The free men's path is always obstructed by mediocrity.
Last edited by disperato on Wed Mar 26, 2014 9:22 am; edited 1 time in total |
|
Back to top |
|
|
TomWij Retired Dev
Joined: 04 Jul 2012 Posts: 1553
|
Posted: Tue Mar 25, 2014 7:32 pm Post subject: |
|
|
Do you have any agent or kerying daemon running that remembers the password? (Check `ps axjf` after it has remembered the password) |
|
Back to top |
|
|
disperato Tux's lil' helper
Joined: 27 Apr 2004 Posts: 120
|
Posted: Tue Mar 25, 2014 9:38 pm Post subject: |
|
|
Done, and found this line (amongst others) that looks relevant:
Code: | 1 3046 3046 3046 ? -1 Ss 0 0:00 /usr/bin/gpg-agent --sh --daemon --enable-ssh-support --write-env-file /root/.cache/gpg-agent-info |
Code: | # cat /root/.cache/gpg-agent-info
GPG_AGENT_INFO=/tmp/gpg-psk7Xa/S.gpg-agent:3046:1
SSH_AUTH_SOCK=/tmp/gpg-KJqbN1/S.gpg-agent.ssh
SSH_AGENT_PID=3046 |
Code: | # cat /tmp/gpg-psk7Xa/S.gpg-agent
cat: /tmp/gpg-psk7Xa/S.gpg-agent: No such device or address |
In fact the file exists and is unaccessible with anything (vim, to say one).
If I understand it correctly, password are safe even while cached. Assuming someone accesses my disk (for example stealing the laptop), they couldn't read the encrypted file, because /tmp/stuff is gone on shutdown, right? _________________ The free men's path is always obstructed by mediocrity. |
|
Back to top |
|
|
TomWij Retired Dev
Joined: 04 Jul 2012 Posts: 1553
|
Posted: Tue Mar 25, 2014 10:41 pm Post subject: |
|
|
If you temporarily move the gpg-agent bin file away, can you still reproduce it? Does GPG still work then? |
|
Back to top |
|
|
disperato Tux's lil' helper
Joined: 27 Apr 2004 Posts: 120
|
Posted: Wed Mar 26, 2014 9:22 am Post subject: |
|
|
by removing /tmp/gpg* everything works as expected, i.e. gpg myfile.gpg asks for password.
I also tested it with pinentry eselected to gtk and curse, and behaviour was reproduced in both cases:
when /tmp/gpg* are left in place, gpg does not ask for a password (either with pinentry set to gtk, or ncurse);
when /tmp/gpg* are rmoved, gpg asks a password (either case, gtk, ncurse)
Noticed this (I'm trying as root, now, but for user is similar):
Code: | ps aux |grp gpg
/usr/bin/gpg-agent --sh --daemon --enable-ssh-support --write-env-file /root/.cache/gpg-agent-info |
I'd like to start gpg-agent with one more option: --default-cache-ttl N
Code: | # gpg-agent -h
gpg-agent (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Syntax: gpg-agent [options] [command [args]]
Secret key management for GnuPG
Options:
--daemon run in daemon mode (background)
--server run in server mode (foreground)
-v, --verbose verbose
-q, --quiet be somewhat more quiet
-s, --sh sh-style command output
-c, --csh csh-style command output
--options FILE read options from FILE
--no-detach do not detach from the console
--no-grab do not grab keyboard and mouse
--log-file use a log file for the server
--use-standard-socket use a standard location for the socket
--pinentry-program PGM use PGM as the PIN-Entry program
--scdaemon-program PGM use PGM as the SCdaemon program
--disable-scdaemon do not use the SCdaemon
--keep-tty ignore requests to change the TTY
--keep-display ignore requests to change the X display
--default-cache-ttl N expire cached PINs after N seconds
--ignore-cache-for-signing do not use the PIN cache when signing
--no-allow-mark-trusted disallow clients to mark keys as "trusted"
--allow-preset-passphrase allow presetting passphrase
--enable-ssh-support enable ssh support
--write-env-file FILE write environment settings also to FILE
|
But cannot find out how to configure it for startup. Basically I can't find how gpg-agent is started, at what point, what launched it and where to add the desired option.
does not give any gpg/gnupg result.
I'm marked this as solved, though, not to create anxiety about non-existent security issues. _________________ The free men's path is always obstructed by mediocrity. |
|
Back to top |
|
|
TomWij Retired Dev
Joined: 04 Jul 2012 Posts: 1553
|
Posted: Wed Mar 26, 2014 12:06 pm Post subject: |
|
|
You can try to `grep -r gpg-agent /etc/` and do the same in the home directories hidden directories like `grep -r a ~/.[A-Za-z0-9_-][A-Za-z0-9_.-]*`
A side idea is to check what the parent process is; by doing so, you get an idea what launches it and maybe that will give a better idea where to search.
If all else fails, move gpg-agent away and turn that into a wrapper script which passes along the extra argument. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sun Apr 13, 2014 7:22 pm Post subject: |
|
|
disperato wrote: | I'd like to start gpg-agent with one more option: --default-cache-ttl N [... b]ut cannot find out how to configure it for startup. Basically I can't find how gpg-agent is started, at what point, what launched it and where to add the desired option. |
disperato ... you'd need to create a ~/.gnupg/gpg-agent.conf and add the options there, eg:
Code: | # cache settings (3600 == 1hr)
default-cache-ttl 3600
default-cache-ttl-ssh 3600
enable-ssh-support |
... that said, I've masked > gpg-1 as the who pinentry thing is broken IMO.
best ... khay |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|