Re: HEAD and "persistant passphrase"

From: Albrecht Dreß <albrecht dress arcor de>
To: "Jean-Luc Coulon (f5ibh)" <jean-luc coulon wanadoo fr>
Cc: balsa-list gnome org
Subject: Re: HEAD and "persistant passphrase"
Date: Sun, 2 May 2004 19:50:06 +0200

Am 02.05.04 18:23 schrieb(en) Jean-Luc Coulon (f5ibh):
> I've seen the explanation but not understood the workaround.
> I've a Debian system and I've not founs any trace of pinentry.
> Do I've to install pinentry to have this workaround to work ?

First you must install a newpg or gpg 1.9.x release which includes the  
agent. I installed gpg 1.9.7 (I need it anyway for gpgsm to work with s/ 
mime), which in turn depends upon a bunch of libs. The current chain would  
be (the version given should be the latest available...):

* install libgcrypt 1.2.0 (from ftp://ftp.gnupg.org/gcrypt/libgcrypt)
* install libksba 0.9.5 (ftp://ftp.gnupg.org/gcrypt/alpha/libksba)
* install libassuan 0.6.4 (ftp://ftp.gnupg.org/gcrypt/alpha/libassuan)
* install dirmgr 0.5.3 (ftp://ftp.gnupg.org/gcrypt/alpha/dirmngr)
* install pinentry 0.7.1 (ftp://ftp.gnupg.org/gcrypt/pinentry)
* install gnupg 1.9.7 (ftp://ftp.gnupg.org/gcrypt/alpha/gnupg). If you
  have gpg 1.2.4 up & running, you may want to disable building the new
  gpg app by configuring it using --disable-gpg.

Maybe some of them can be found in the deb unstable chain?

Now add to your ~/.gnupg/gpg.conf file the line

use agent

Then create the file ~/.gnupg/gpg-agent.conf containing e.g.

default-cache-ttl 3600
pinentry-program /usr/local/bin/pinentry-gtk

to cache passphrases 3600 secs and to use /usr/local/bin/pinentry-gtk.

Finally, add e.g. to the gdm session file (I still use an old gnome 2.0  
gdm which uses /etc/X11/xdm/Xsession, ymmv)

eval `gpg-agent --daemon`

In your gnome session, open a terminal and check if the env variable  
GPG_AGENT_INFO is present. If it's set, everything should be fine...

This setup looks quite complicated, but you now end up with a global  
passphrase cache which can be used by *all* apps using gpg directly or  
indirectly. If you make the apps used (gpg, pinentry, gpg-agent) suid  
root, they will additionally use secure (unswappable) memory which a much  
more secure than the current solution as you will never leave traces on  
swap space (your agent might still be attacked by root, though).

Hth,

	Albrecht.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Albrecht Dreß  -  Johanna-Kirchner-Straße 13  -  D-53123 Bonn (Germany)
       Phone (+49) 228 6199571  -  mailto:albrecht.dress@arcor.de
_________________________________________________________________________

PGP signature

References:
- HEAD and "persistant passphrase"
  - From: Jean-Luc Coulon (f5ibh)
- Re: HEAD and "persistant passphrase"
  - From: Albrecht Dreß
- Re: HEAD and "persistant passphrase"
  - From: Jean-Luc Coulon (f5ibh)

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]