Is --export-ssh-key functionality possible with GnuPG 2.0?
Stephan Beck
stebe at mailbox.org
Fri Nov 25 14:36:00 CET 2016
Thanks, Peter. [no irony] Wherever you shed your light, I'm a bit more
enlightened.
Peter Lebbing:
> Stephan, thanks for helping out! I think I can improve a bit on one part
> of it, though.
>
> On 24/11/16 17:51, Stephan Beck wrote:
>> A2) Export the secret subkey you'd like to use for ssh authentication
>> purposes and pipe it through openpgp2ssh
>> gpg2 --export-secret-subkeys \
>> --export-options export-reset-subkey-passwd [keyID!] | \
>> openpgp2ssh [keyID] > gpg-auth-keyfile
>>
>> A3) Set correct permissions
>>
>> chmod 0600 gpg-auth-keyfile
>
> This leaves open a window where the file with your private key might be
> world-readable.
Well, one could and should immediately delete this file. I should have
mentioned it.
Would you please describe more in detail where (or in which way, in
which use case) the window is left open?
AFAIK, more secure than 0600 is not available within (secure) GNU/Linux
(Unix) file permissions.
I'm really interested. I'm facing adversaries like the local Jobcenter
mafia with all the allies they have and I need to be better than them.
>
> The thing I usually do is this:
>
> $ mkdir safe
> $ chmod 700 safe
> $ cd safe
> $ [... do your stuff ...]
> $ cd ..
> $ rm -rf safe
I see. Yes, even better. A directory as another barrier.
>
> The directory permissions prevent anyone from getting a handle for your
> file. Even if the file is world-readable, nobody can get towards the
> file. This is not true if you are on an NFS share, though!
>
> The thing I would expect to actually be in the textbooks is a variation of:
>
> $ OLD_UMASK=$(umask)
> $ umask 0077
> $ [... do your stuff ...]
> $ umask $OLD_UMASK
>
> The umask 0077 will create any new files with all access rights cleared
> for group and world. This is your A2 and A3 folded into one, safely,
> without a gap.
Yes, that sounds good. Nice trick putting the OLD_UMASK into a variable
for later recovery.
Cheers
Stephan
More information about the Gnupg-users
mailing list