Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] security risk with gpg
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
disperato
Tux's lil' helper
Tux's lil' helper


Joined: 27 Apr 2004
Posts: 120

PostPosted: Tue Mar 25, 2014 12:26 pm    Post subject: [SOLVED] security risk with gpg Reply with quote

gpg is having a very unespected and alarming behaviour.

Everything is ok in terminal (no X):

Code:
gpg -c mytextfile #propmt twice for password and creates an encrypted version, mytextfile.gpg
rm mytextfile       #removes the unencrypted version
gpg mytextfile.gpg #prompts for password and unencrypts the file if password is correct


Something is utterly wrong in xterm (xfce4+gtk...):

Code:
gpg -c mytextfile #propmt twice for password and creates an encrypted version, mytextfile.gpg
rm mytextfile       #removes the unencrypted version
gpg mytextfile.gpg #DOES NOT ASK for any password! And UNENCRYPTS all the same, as if a password had been given


output of the last command:
Code:
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected


It's already a big mistake having gpg password prompt in a gtk pop-up window, but having our files unencrypted without any password is, IMHO, very bad. Or am I doing something wrong?

affected: app-crypt/gnupg-2.0.22
_________________
The free men's path is always obstructed by mediocrity.


Last edited by disperato on Wed Mar 26, 2014 9:22 am; edited 1 time in total
Back to top
View user's profile Send private message
TomWij
Retired Dev
Retired Dev


Joined: 04 Jul 2012
Posts: 1553

PostPosted: Tue Mar 25, 2014 7:32 pm    Post subject: Reply with quote

Do you have any agent or kerying daemon running that remembers the password? (Check `ps axjf` after it has remembered the password)
Back to top
View user's profile Send private message
disperato
Tux's lil' helper
Tux's lil' helper


Joined: 27 Apr 2004
Posts: 120

PostPosted: Tue Mar 25, 2014 9:38 pm    Post subject: Reply with quote

Done, and found this line (amongst others) that looks relevant:

Code:
1  3046  3046  3046 ?           -1 Ss       0   0:00 /usr/bin/gpg-agent --sh --daemon --enable-ssh-support --write-env-file /root/.cache/gpg-agent-info


Code:
# cat /root/.cache/gpg-agent-info
GPG_AGENT_INFO=/tmp/gpg-psk7Xa/S.gpg-agent:3046:1
SSH_AUTH_SOCK=/tmp/gpg-KJqbN1/S.gpg-agent.ssh
SSH_AGENT_PID=3046


Code:
# cat /tmp/gpg-psk7Xa/S.gpg-agent
cat: /tmp/gpg-psk7Xa/S.gpg-agent: No such device or address


In fact the file exists and is unaccessible with anything (vim, to say one).
If I understand it correctly, password are safe even while cached. Assuming someone accesses my disk (for example stealing the laptop), they couldn't read the encrypted file, because /tmp/stuff is gone on shutdown, right?
_________________
The free men's path is always obstructed by mediocrity.
Back to top
View user's profile Send private message
TomWij
Retired Dev
Retired Dev


Joined: 04 Jul 2012
Posts: 1553

PostPosted: Tue Mar 25, 2014 10:41 pm    Post subject: Reply with quote

If you temporarily move the gpg-agent bin file away, can you still reproduce it? Does GPG still work then?
Back to top
View user's profile Send private message
disperato
Tux's lil' helper
Tux's lil' helper


Joined: 27 Apr 2004
Posts: 120

PostPosted: Wed Mar 26, 2014 9:22 am    Post subject: Reply with quote

by removing /tmp/gpg* everything works as expected, i.e. gpg myfile.gpg asks for password.

I also tested it with pinentry eselected to gtk and curse, and behaviour was reproduced in both cases:
when /tmp/gpg* are left in place, gpg does not ask for a password (either with pinentry set to gtk, or ncurse);
when /tmp/gpg* are rmoved, gpg asks a password (either case, gtk, ncurse)

Noticed this (I'm trying as root, now, but for user is similar):

Code:
ps aux |grp gpg
/usr/bin/gpg-agent --sh --daemon --enable-ssh-support --write-env-file /root/.cache/gpg-agent-info


I'd like to start gpg-agent with one more option: --default-cache-ttl N

Code:
# gpg-agent -h
gpg-agent (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Syntax: gpg-agent [options] [command [args]]
Secret key management for GnuPG

Options:
 
     --daemon                     run in daemon mode (background)
     --server                     run in server mode (foreground)
 -v, --verbose                    verbose
 -q, --quiet                      be somewhat more quiet
 -s, --sh                         sh-style command output
 -c, --csh                        csh-style command output
     --options FILE               read options from FILE
     --no-detach                  do not detach from the console
     --no-grab                    do not grab keyboard and mouse
     --log-file                   use a log file for the server
     --use-standard-socket        use a standard location for the socket
     --pinentry-program PGM       use PGM as the PIN-Entry program
     --scdaemon-program PGM       use PGM as the SCdaemon program
     --disable-scdaemon           do not use the SCdaemon
     --keep-tty                   ignore requests to change the TTY
     --keep-display               ignore requests to change the X display
     --default-cache-ttl N        expire cached PINs after N seconds
     --ignore-cache-for-signing   do not use the PIN cache when signing
     --no-allow-mark-trusted      disallow clients to mark keys as "trusted"
     --allow-preset-passphrase    allow presetting passphrase
     --enable-ssh-support         enable ssh support
     --write-env-file FILE        write environment settings also to FILE


But cannot find out how to configure it for startup. Basically I can't find how gpg-agent is started, at what point, what launched it and where to add the desired option.
Code:
rc-update -s
does not give any gpg/gnupg result.

I'm marked this as solved, though, not to create anxiety about non-existent security issues.
_________________
The free men's path is always obstructed by mediocrity.
Back to top
View user's profile Send private message
TomWij
Retired Dev
Retired Dev


Joined: 04 Jul 2012
Posts: 1553

PostPosted: Wed Mar 26, 2014 12:06 pm    Post subject: Reply with quote

You can try to `grep -r gpg-agent /etc/` and do the same in the home directories hidden directories like `grep -r a ~/.[A-Za-z0-9_-][A-Za-z0-9_.-]*`

A side idea is to check what the parent process is; by doing so, you get an idea what launches it and maybe that will give a better idea where to search.

If all else fails, move gpg-agent away and turn that into a wrapper script which passes along the extra argument.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Sun Apr 13, 2014 7:22 pm    Post subject: Reply with quote

disperato wrote:
I'd like to start gpg-agent with one more option: --default-cache-ttl N [... b]ut cannot find out how to configure it for startup. Basically I can't find how gpg-agent is started, at what point, what launched it and where to add the desired option.

disperato ... you'd need to create a ~/.gnupg/gpg-agent.conf and add the options there, eg:

Code:
# cache settings (3600 == 1hr)
default-cache-ttl 3600
default-cache-ttl-ssh 3600
enable-ssh-support

... that said, I've masked > gpg-1 as the who pinentry thing is broken IMO.

best ... khay
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum