From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HI8Hp-0001dh-J3 for garchives@archives.gentoo.org; Fri, 16 Feb 2007 18:58:26 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1GIvEhc010863; Fri, 16 Feb 2007 18:57:14 GMT Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.231]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1GIr54N006240 for ; Fri, 16 Feb 2007 18:53:05 GMT Received: by nz-out-0506.google.com with SMTP id s1so905823nze for ; Fri, 16 Feb 2007 10:53:04 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=h7lDKFmuGbkRnFAz6/0vSuX24z6AQc+q+aHL5s9Z7Z+NidPy89UEXvRQJkKuXyjg16mKmfmmpyA1h7ubaWFdoMIVJO7YiprRxxN8+Wjiq1jboIueAfxxDaFmHy53TM4pe7uDwOIauqjOFVZSgp5o/cpWDoQWtzxldIj1WDd08SM= Received: by 10.65.185.13 with SMTP id m13mr5499064qbp.1171651984680; Fri, 16 Feb 2007 10:53:04 -0800 (PST) Received: from lappy.study ( [213.162.120.196]) by mx.google.com with ESMTP id f13sm2314075qba.2007.02.16.10.53.03; Fri, 16 Feb 2007 10:53:03 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] ssh-agent Date: Fri, 16 Feb 2007 17:54:26 +0000 User-Agent: KMail/1.9.5 References: <432beae0702121526t40019696k9c9b18c9ec150684@mail.gmail.com> In-Reply-To: <432beae0702121526t40019696k9c9b18c9ec150684@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart7709610.6aU660H9VW"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200702161754.39598.michaelkintzios@gmail.com> X-Archives-Salt: 87295afd-80db-4daf-abb8-3c3e8ff1767e X-Archives-Hash: fdfa2316466cdbb912c51f920d2ebd4b --nextPart7709610.6aU660H9VW Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 12 February 2007 23:26, Justin Patrin wrote: > On 11/21/06, Jorge Almeida wrote: > > On Tue, 21 Nov 2006, Mick wrote: > > >>> They are only stored in locked memory; they are never on disk > > >>> unencrypted. Anyone that can read locked memory can access them, but > > >>> this is very few users/processes on Linux -- and besides those same > > >>> users will be able to read the key as you authenticate even if you > > >>> don't use ssh-agent, as long as they time things right. > > >> > > >> OK, this sounds better! I posted to the gnupg-users, asking a similar > > >> question about gpg-agent. I guess gpg-agent works the same way. > > > > > > Please post back your findings! > > > > Well, no responses yet in the gnupg-users list, so there are no findings > > to post! (Let's wait at least a few hours :)) > > > > > What happens to the /tmp/ directory & socket file after the user logs > > > out? Does it get deleted by the ssh-agent shutdown script? > > > > I didn't start using ssh-agent yet, but I tested it from the command > > line and the directory was removed when I killed the ssh-agent process. > > > > > I am asking this because I seem to continuously accumulate a load of > > > gpg-agent directories and socket files into my /tmp. Unless of course > > > gpg-agent works > > > > I suppose that has to do with the agent(s) working as daemons? I don't > > like that kind of setup. This is what I intend to (try to) do: > > > > - One fixed socket, in some dedicated directory (no /tmp, no random name > > for the socket) > > - The socket name as a fixed env variable, set in the shell config files > > - Hence, no need to eval, etc > > - No daemon (i.e. no backgrounding). Just a service supervised by > > daemontools. Logs go to a directory of my choosing and if the agent > > dies, it is ressurrected, and the socket (with the same name) is > > recreated (of course, keys must be added, then) > > - A perl script to interact with the service, just in case. > > > > I think this is not difficult to do, unless I grossly misunderstood > > something essential. (Comments, anyone?) I just don't see the need to > > run the agent as subordinate of an X session or whatever (please someone > > correct me if I'm wrong!) And if I don't want the service running when > > I'm not logged in, I could bring it down with the perl script (in > > ~/.bash_logout, maybe?) > > For gpg-agent, I'm not so sure, but I hope it can be done too. > > > > > on a different principle all together. My start up & shutdown scripts > > > are in /etc/X11/Sessions/fluxbox. Are they correct for this task? > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > eval "$(gpg-agent --daemon)" > > > /usr/bin/startfluxbox > > > kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2` > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > > > Or should I have another line to 'rm -Rf /tmp/gpg-*' > > ssh-agent /bin/sh > > When you exit the shell, ssh-agent exits too (after cleaning up). > Running the agent as a daemon means you have to tell it when to shut > down as well (how would it know when to stop?). Thanks Justin, the ssh-agent may clean up after its own lock-files, but the= =20 gpg-agent doesn't. At least not when using my script above. My /tmp is fu= ll=20 of gpg-xxxx lock-files, which in the absence of a better solution I manuall= y=20 delete every now and then. =2D-=20 Regards, Mick --nextPart7709610.6aU660H9VW Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBF1e/f5Fp0QerLYPcRAt2BAKCnZjBhuvVOFMPgx1prgN+cYrgNkgCfUc8g vddsgHualOe7zQgq+EZJcew= =APMJ -----END PGP SIGNATURE----- --nextPart7709610.6aU660H9VW-- -- gentoo-user@gentoo.org mailing list