Is --export-ssh-key functionality possible with GnuPG 2.0?
stebe at mailbox.org
Sat Nov 26 21:33:00 CET 2016
Oh indeed! I didn't catch it at first glance that you were referring to
that short moment between creating the file and chmod 0600!
I thought I missed something with secure file permissions. :-)
I only could say that I was "blinded by the light" you shed, but I won't
> On 25/11/16 14:36, Stephan Beck wrote:
>> Would you please describe more in detail where (or in which way, in
>> which use case) the window is left open?
> Let me reuse a bit of quote from an earlier mail:
>>>> A2) Export the secret subkey you'd like to use for ssh authentication
>>>> purposes and pipe it through openpgp2ssh
>>>> gpg2 --export-secret-subkeys \
>>>> --export-options export-reset-subkey-passwd [keyID!] | \
>>>> openpgp2ssh [keyID] > gpg-auth-keyfile
> Here a file is created with most likely mode 0644. It contains an
> unencrypted private key, and anyone being quick about it can read the
> file until you have time to type....
>>>> A3) Set correct permissions
>>>> chmod 0600 gpg-auth-keyfile
> ... and from this moment on it is secure.
> If somebody knew beforehand you were going to do this on a multi-user
> system, he could monitor likely directories programmatically and catch
> you in the act. Paranoia mode... on!
More information about the Gnupg-users