From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HGkfE-0006ai-D7 for garchives@archives.gentoo.org; Mon, 12 Feb 2007 23:32:52 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1CNVh48019677; Mon, 12 Feb 2007 23:31:43 GMT Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1CNQxmX013773 for ; Mon, 12 Feb 2007 23:27:00 GMT Received: by nf-out-0910.google.com with SMTP id c31so118586nfb for ; Mon, 12 Feb 2007 15:26:59 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uPdFSA/szTmW8zkeTMQwSCaZcWPqQblxBUV4uy17R6yGn89Juo/5BuUmFhPPEpLDk/oJk4A4u9BCe+AjR6ip7baAMOhxre32/h3WJQT6vR3TKqrnTfGOa12NZMPydGSTszXECLURGTAP0gYlK0xJ41kRuBgbkzHPdNqBuxe/XGA= Received: by 10.48.202.11 with SMTP id z11mr117441nff.1171322818915; Mon, 12 Feb 2007 15:26:58 -0800 (PST) Received: by 10.48.217.15 with HTTP; Mon, 12 Feb 2007 15:26:58 -0800 (PST) Message-ID: <432beae0702121526t40019696k9c9b18c9ec150684@mail.gmail.com> Date: Mon, 12 Feb 2007 15:26:58 -0800 From: "Justin Patrin" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] ssh-agent In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200611211224.44524.bss03@volumehost.net> <200611212116.02233.michaelkintzios@gmail.com> X-Archives-Salt: 0d4fdb46-d526-4d59-a113-c9fe0f140fac X-Archives-Hash: d5862b773c3a11e7ba4c12c54252094b On 11/21/06, Jorge Almeida wrote: > On Tue, 21 Nov 2006, Mick wrote: > >>> They are only stored in locked memory; they are never on disk > >>> unencrypted. Anyone that can read locked memory can access them, but this > >>> is very few users/processes on Linux -- and besides those same users will > >>> be able to read the key as you authenticate even if you don't use > >>> ssh-agent, as long as they time things right. > >> > >> OK, this sounds better! I posted to the gnupg-users, asking a similar > >> question about gpg-agent. I guess gpg-agent works the same way. > > > > Please post back your findings! > > > Well, no responses yet in the gnupg-users list, so there are no findings > to post! (Let's wait at least a few hours :)) > > > What happens to the /tmp/ directory & socket file after the user logs out? > > Does it get deleted by the ssh-agent shutdown script? > > > I didn't start using ssh-agent yet, but I tested it from the command > line and the directory was removed when I killed the ssh-agent process. > > I am asking this because I seem to continuously accumulate a load of gpg-agent > > directories and socket files into my /tmp. Unless of course gpg-agent works > I suppose that has to do with the agent(s) working as daemons? I don't > like that kind of setup. This is what I intend to (try to) do: > > - One fixed socket, in some dedicated directory (no /tmp, no random name > for the socket) > - The socket name as a fixed env variable, set in the shell config files > - Hence, no need to eval, etc > - No daemon (i.e. no backgrounding). Just a service supervised by > daemontools. Logs go to a directory of my choosing and if the agent > dies, it is ressurrected, and the socket (with the same name) is > recreated (of course, keys must be added, then) > - A perl script to interact with the service, just in case. > > I think this is not difficult to do, unless I grossly misunderstood > something essential. (Comments, anyone?) I just don't see the need to > run the agent as subordinate of an X session or whatever (please someone > correct me if I'm wrong!) And if I don't want the service running when > I'm not logged in, I could bring it down with the perl script (in > ~/.bash_logout, maybe?) > For gpg-agent, I'm not so sure, but I hope it can be done too. > > > on a different principle all together. My start up & shutdown scripts are > > in /etc/X11/Sessions/fluxbox. Are they correct for this task? > > ================================================ > > eval "$(gpg-agent --daemon)" > > /usr/bin/startfluxbox > > kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2` > > ================================================ > > > > Or should I have another line to 'rm -Rf /tmp/gpg-*' > > > ssh-agent /bin/sh When you exit the shell, ssh-agent exits too (after cleaning up). Running the agent as a daemon means you have to tell it when to shut down as well (how would it know when to stop?). -- Justin Patrin -- gentoo-user@gentoo.org mailing list