opie or s/key with gpg?

David Shaw dshaw@jabberwocky.com
Tue Oct 7 14:38:01 CEST 2003

Hash: SHA1

On Tue, Oct 07, 2003 at 12:26:20AM -0700, Atom 'Smasher' wrote:
> does anyone know if there's (yet) any way to use opie or s/key to unlock
> one's secret gpg key? if done right, this could greatly reduce
> (eliminate?) the possibility of having one's password sniffed, either on a
> network or from the keyboard.....

It is theoretically possible (I've thought about it for certain uses),
but it does not do what one might think it does.  One-time passwords
pretty much require that the item being protected be under the control
of the machine that runs the OTP system.  The process that
authenticates the OTP can then grant access to the protected item, in
this case the secret key.  It comes down to the OTP process either
needs access to the unprotected key or the passphrase.

This isn't a fatal flaw (after all, the gpg agent holds the same
information in memory), but it does change the circumstances where
such a setup would be useful.  Since most people want such a thing for
accessing their keys remotely, the requirement that their remote
machine must remain completely secure usually makes them reconsider.

Version: GnuPG v1.3.3-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc


More information about the Gnupg-users mailing list