Is --export-ssh-key functionality possible with GnuPG 2.0?
Stephan Beck
stebe at mailbox.org
Sat Nov 26 21:33:00 CET 2016
Oh indeed! I didn't catch it at first glance that you were referring to
that short moment between creating the file and chmod 0600!
I thought I missed something with secure file permissions. :-)
I only could say that I was "blinded by the light" you shed, but I won't
Thanks!
Stephan
Peter Lebbing:
> On 25/11/16 14:36, Stephan Beck wrote:
>> Would you please describe more in detail where (or in which way, in
>> which use case) the window is left open?
>
> Let me reuse a bit of quote from an earlier mail:
>
>>>> A2) Export the secret subkey you'd like to use for ssh authentication
>>>> purposes and pipe it through openpgp2ssh
>>>> gpg2 --export-secret-subkeys \
>>>> --export-options export-reset-subkey-passwd [keyID!] | \
>>>> openpgp2ssh [keyID] > gpg-auth-keyfile
>
> Here a file is created with most likely mode 0644. It contains an
> unencrypted private key, and anyone being quick about it can read the
> file until you have time to type....
>
>>>>
>>>> A3) Set correct permissions
>>>>
>>>> chmod 0600 gpg-auth-keyfile
>
> ... and from this moment on it is secure.
>
> If somebody knew beforehand you were going to do this on a multi-user
> system, he could monitor likely directories programmatically and catch
> you in the act. Paranoia mode... on!
>
> HTH,
>
> Peter.
>
More information about the Gnupg-users
mailing list