[SOLVED] security risk with gpg

[disperato]

gpg is having a very unespected and alarming behaviour.

Everything is ok in terminal (no X):

Code: Select all

gpg -c mytextfile #propmt twice for password and creates an encrypted version, mytextfile.gpg
rm mytextfile       #removes the unencrypted version
gpg mytextfile.gpg #prompts for password and unencrypts the file if password is correct

Something is utterly wrong in xterm (xfce4+gtk...):

Code: Select all

gpg -c mytextfile #propmt twice for password and creates an encrypted version, mytextfile.gpg
rm mytextfile       #removes the unencrypted version
gpg mytextfile.gpg #DOES NOT ASK for any password! And UNENCRYPTS all the same, as if a password had been given

output of the last command:

Code: Select all

gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

It's already a big mistake having gpg password prompt in a gtk pop-up window, but having our files unencrypted without any password is, IMHO, very bad. Or am I doing something wrong?

affected: app-crypt/gnupg-2.0.22

[TomWij]

Do you have any agent or kerying daemon running that remembers the password? (Check `ps axjf` after it has remembered the password)

[disperato]

Done, and found this line (amongst others) that looks relevant:

Code: Select all

1  3046  3046  3046 ?           -1 Ss       0   0:00 /usr/bin/gpg-agent --sh --daemon --enable-ssh-support --write-env-file /root/.cache/gpg-agent-info

Code: Select all

# cat /root/.cache/gpg-agent-info
GPG_AGENT_INFO=/tmp/gpg-psk7Xa/S.gpg-agent:3046:1
SSH_AUTH_SOCK=/tmp/gpg-KJqbN1/S.gpg-agent.ssh
SSH_AGENT_PID=3046

Code: Select all

# cat /tmp/gpg-psk7Xa/S.gpg-agent
cat: /tmp/gpg-psk7Xa/S.gpg-agent: No such device or address

In fact the file exists and is unaccessible with anything (vim, to say one).
If I understand it correctly, password are safe even while cached. Assuming someone accesses my disk (for example stealing the laptop), they couldn't read the encrypted file, because /tmp/stuff is gone on shutdown, right?

[TomWij]

If you temporarily move the gpg-agent bin file away, can you still reproduce it? Does GPG still work then?

[disperato]

by removing /tmp/gpg* everything works as expected, i.e. gpg myfile.gpg asks for password.

I also tested it with pinentry eselected to gtk and curse, and behaviour was reproduced in both cases:
when /tmp/gpg* are left in place, gpg does not ask for a password (either with pinentry set to gtk, or ncurse);
when /tmp/gpg* are rmoved, gpg asks a password (either case, gtk, ncurse)

Noticed this (I'm trying as root, now, but for user is similar):

Code: Select all

ps aux |grp gpg
/usr/bin/gpg-agent --sh --daemon --enable-ssh-support --write-env-file /root/.cache/gpg-agent-info

I'd like to start gpg-agent with one more option: --default-cache-ttl N

Code: Select all

# gpg-agent -h
gpg-agent (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Syntax: gpg-agent [options] [command [args]]
Secret key management for GnuPG

Options:
 
     --daemon                     run in daemon mode (background)
     --server                     run in server mode (foreground)
 -v, --verbose                    verbose
 -q, --quiet                      be somewhat more quiet
 -s, --sh                         sh-style command output
 -c, --csh                        csh-style command output
     --options FILE               read options from FILE
     --no-detach                  do not detach from the console
     --no-grab                    do not grab keyboard and mouse
     --log-file                   use a log file for the server
     --use-standard-socket        use a standard location for the socket
     --pinentry-program PGM       use PGM as the PIN-Entry program
     --scdaemon-program PGM       use PGM as the SCdaemon program
     --disable-scdaemon           do not use the SCdaemon
     --keep-tty                   ignore requests to change the TTY
     --keep-display               ignore requests to change the X display
     --default-cache-ttl N        expire cached PINs after N seconds
     --ignore-cache-for-signing   do not use the PIN cache when signing
     --no-allow-mark-trusted      disallow clients to mark keys as "trusted"
     --allow-preset-passphrase    allow presetting passphrase
     --enable-ssh-support         enable ssh support
     --write-env-file FILE        write environment settings also to FILE

But cannot find out how to configure it for startup. Basically I can't find how gpg-agent is started, at what point, what launched it and where to add the desired option.

Code: Select all

rc-update -s

does not give any gpg/gnupg result.

I'm marked this as solved, though, not to create anxiety about non-existent security issues.

[TomWij]

You can try to `grep -r gpg-agent /etc/` and do the same in the home directories hidden directories like `grep -r a ~/.[A-Za-z0-9_-][A-Za-z0-9_.-]*`

A side idea is to check what the parent process is; by doing so, you get an idea what launches it and maybe that will give a better idea where to search.

If all else fails, move gpg-agent away and turn that into a wrapper script which passes along the extra argument.

[khayyam]

I'd like to start gpg-agent with one more option: --default-cache-ttl N [... b]ut cannot find out how to configure it for startup. Basically I can't find how gpg-agent is started, at what point, what launched it and where to add the desired option.

disperato ... you'd need to create a ~/.gnupg/gpg-agent.conf and add the options there, eg:

Code: Select all

# cache settings (3600 == 1hr)
default-cache-ttl 3600
default-cache-ttl-ssh 3600
enable-ssh-support

... that said, I've masked > gpg-1 as the who pinentry thing is broken IMO.

best ... khay