Re: HEAD and "persistant passphrase"
- From: Albrecht Dreß <albrecht dress arcor de>
- To: "Jean-Luc Coulon (f5ibh)" <jean-luc coulon wanadoo fr>
- Cc: balsa-list gnome org
- Subject: Re: HEAD and "persistant passphrase"
- Date: Sun, 2 May 2004 19:50:06 +0200
Am 02.05.04 18:23 schrieb(en) Jean-Luc Coulon (f5ibh):
> I've seen the explanation but not understood the workaround.
> I've a Debian system and I've not founs any trace of pinentry.
> Do I've to install pinentry to have this workaround to work ?
First you must install a newpg or gpg 1.9.x release which includes the
agent. I installed gpg 1.9.7 (I need it anyway for gpgsm to work with s/
mime), which in turn depends upon a bunch of libs. The current chain would
be (the version given should be the latest available...):
* install libgcrypt 1.2.0 (from ftp://ftp.gnupg.org/gcrypt/libgcrypt)
* install libksba 0.9.5 (ftp://ftp.gnupg.org/gcrypt/alpha/libksba)
* install libassuan 0.6.4 (ftp://ftp.gnupg.org/gcrypt/alpha/libassuan)
* install dirmgr 0.5.3 (ftp://ftp.gnupg.org/gcrypt/alpha/dirmngr)
* install pinentry 0.7.1 (ftp://ftp.gnupg.org/gcrypt/pinentry)
* install gnupg 1.9.7 (ftp://ftp.gnupg.org/gcrypt/alpha/gnupg). If you
have gpg 1.2.4 up & running, you may want to disable building the new
gpg app by configuring it using --disable-gpg.
Maybe some of them can be found in the deb unstable chain?
Now add to your ~/.gnupg/gpg.conf file the line
use agent
Then create the file ~/.gnupg/gpg-agent.conf containing e.g.
default-cache-ttl 3600
pinentry-program /usr/local/bin/pinentry-gtk
to cache passphrases 3600 secs and to use /usr/local/bin/pinentry-gtk.
Finally, add e.g. to the gdm session file (I still use an old gnome 2.0
gdm which uses /etc/X11/xdm/Xsession, ymmv)
eval `gpg-agent --daemon`
In your gnome session, open a terminal and check if the env variable
GPG_AGENT_INFO is present. If it's set, everything should be fine...
This setup looks quite complicated, but you now end up with a global
passphrase cache which can be used by *all* apps using gpg directly or
indirectly. If you make the apps used (gpg, pinentry, gpg-agent) suid
root, they will additionally use secure (unswappable) memory which a much
more secure than the current solution as you will never leave traces on
swap space (your agent might still be attacked by root, though).
Hth,
Albrecht.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Albrecht Dreß - Johanna-Kirchner-Straße 13 - D-53123 Bonn (Germany)
Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de
_________________________________________________________________________
PGP signature
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]