Is --export-ssh-key functionality possible with GnuPG 2.0?

Stephan Beck stebe at mailbox.org
Sat Nov 26 21:33:00 CET 2016


Oh indeed! I didn't catch it at first glance that you were referring to
that short moment between creating the file and chmod 0600!
I thought I missed something with secure file permissions. :-)

I only could say that I was "blinded by the light" you shed, but I won't

Thanks!

Stephan


Peter Lebbing:
> On 25/11/16 14:36, Stephan Beck wrote:
>> Would you please describe more in detail where (or in which way, in
>> which use case) the window is left open?
> 
> Let me reuse a bit of quote from an earlier mail:
> 
>>>> A2) Export the secret subkey you'd like to use for ssh authentication
>>>> purposes and pipe it through openpgp2ssh
>>>> gpg2 --export-secret-subkeys \
>>>>   --export-options export-reset-subkey-passwd [keyID!] | \
>>>>   openpgp2ssh [keyID] > gpg-auth-keyfile
> 
> Here a file is created with most likely mode 0644. It contains an
> unencrypted private key, and anyone being quick about it can read the
> file until you have time to type....
> 
>>>>
>>>> A3) Set correct permissions
>>>>
>>>> chmod 0600 gpg-auth-keyfile
> 
> ... and from this moment on it is secure.
> 
> If somebody knew beforehand you were going to do this on a multi-user
> system, he could monitor likely directories programmatically and catch
> you in the act. Paranoia mode... on!
> 
> HTH,
> 
> Peter.
> 



More information about the Gnupg-users mailing list