gpg-agent partitioning between sessions?

Doug Barton dougb at dougbarton.us
Tue Nov 13 00:07:09 CET 2012


On 11/12/2012 02:59 PM, Pete Ashdown wrote:
> On 11/12/2012 03:52 PM, Doug Barton wrote:
>> What do you mean by that? Are you talking about different users, or do
>> you want to have different key stores for different terminals for the
>> same user? If the latter, why?
>>
> 
> The latter, if someone compromises a system with a running agent, I don't
> want them to have access to everything I have an ssh-key for.  Ssh-agent
> asks for the key password with each new session.  With gpg-agent, all I
> need to do is hit return on the key password and it appears to pass through
> to another gpg-agent so access is granted without any key password prompting.

I'm not sure you're thinking about the problem in the right way. If they
compromise the system, aren't all of your agent sessions vulnerable?

You are much better off setting a reasonable inactivity timeout for your
session. Look at these settings in gpg-agent.conf:


default-cache-ttl N
max-cache-ttl N
default-cache-ttl-ssh N
max-cache-ttl-ssh N

hth,

Doug




More information about the Gnupg-users mailing list