Stuart A Yeates
stuart.yeates at computing-services.oxford.ac.uk
Tue Apr 20 11:56:04 CEST 2004
Samuel ]slund wrote:
> On Tue, Apr 20, 2004 at 08:55:10AM +0100, Stuart A Yeates wrote:
>>Dave Symonds wrote:
>>>I have a slightly unusual setup that I would like to use GnuPG in, and
>>>to ask for some guidance. At my Uni we have a Sun machine that runs all the
>>>mail stuff, and where I mostly prefer to do all my mail reading/composing
>>>However, I don't want to entrust my GPG private key(s) to that system, and
>>>would prefer to keep them on my laptop (or a USB key). What my ideal setup
>>>would be is for my mailer (mutt) running on the mail server to call out to
>>>a little script that would connect securely (via ssh) to my laptop, on
>>>would pop up a window showing the message and prompting for the passphrase
>>>sign that message (encryption isn't so important at the moment). The signed
>>>message would be sent back, and then emailed out.
>>If the Sun is hacked, an attacker can (potentially) see every password
> I do not see this, could you elaborate?
> Any password/secret for the ssh connection is of course lost but how
> would a localy running script that only have two text streams as
> connection to the compromised machine be threatened?
> Assuming the signing is done localy and the recieving ssh session only
> takes the message and no commands as input from the mail server.
> I would worry a little about the possibility of missing a change in the
> text shown before signing. Since you wrote the text you "know" what is
> writen in it and might not read it carfully enough to catch a change.
> If the mail server is compromised such a change is possible.
Let me see if I've understood you correctly:
You have a Sun which does all your you normal mail handling, and at
whose console you do do your computing. You have another laptop
connected to the Sun via a public network which has your secret key.
When you wish to use your public keys you use ssh to start a bash shell
(or similar) on the laptop, transfer your data, perform your operation
and transfer your data back. Possibly you have a script to automate some
of these connection/transfer/opration/transfer steps.
If the Sun is compromised, then your ssh connection and password is
compromised. If your ssh password is compromised then an attacker can
use it to connect to the laptop and get your secret key. If the secret
key has no passphrase, then the attacker has all they need.
If you have a passphrase on your secret key, then to perform the
operation the passphrase must come from somewhere. If it comes across
the ssh connection and the ssh connection has been compromised then your
passphrase can be known to the attacker. If it comes off a disk local to
the laptop and the attacker has you ssh password, then the attacker can
connect to the laptop and collect the passphrase.
If the attacker has access to the sun to install a keylogger (phyicsal
or software) they can access any passwords and phrases you type at the
Another approach is to have a restricted account whose login shell isn't
bash but a script which allows only certain operations to be performed.
If you're very good at writing secure code this might be an option. I'm
not sure you could use any out-of-the-box security scripting solutions
because most of them prioritise the integrety of the system over the
protection of some secret which the script has access to anyway.
Stuart Yeates stuart.yeates at computing-services.oxford.ac.uk
OSS Watch http://www.oss-watch.ac.uk/
Oxford Text Archive http://ota.ahds.ac.uk/
Humbul Humanities Hub http://www.humbul.ac.uk/
More information about the Gnupg-users