On 07/01/2017 07:30 PM, Shawn K. Quinn wrote: > On 07/01/2017 03:17 PM, Steve Kinney wrote: >> Last time I checked, this bug was dismissed by Debian as a non-issue, >> saying that exploiting it would require physical access to the machine >> and "physical access is game over." That's an excuse to leave the bug >> in place, not a reason. I am sure present company can provide several >> examples of cases where the presence of gnupg-agent in its present >> broken condition "is game over" for the user. > > Are you sure you didn't accidentally save your passphrase to your GNOME > password manager (seahorse)? I thought I had the same problem where > passphrases were being cached far longer than they should be, until I > found this "helpful" remembering of my passphrase (which I have since > fixed).
Quite sure: Taking measures to specifically deny the passphrase to gnupg-agent fixed the problem at once. Also, I was using KDE4 at the time, on a system where Cinnamon is the default desktop. > I'm going to do some further testing; I have explicitly added the > supposed default TTL values to gpg-agent.conf and I will see if I still > have issues. I created gpg-agent.conf and put it in the right directory per the man page, because it was not there... and it had no effect. Especially disturbing because, although I never have a reason to type a GPG pass phrase as an administrator, logging out of my user account did not remove the pass phrase from memory. Nothing short of powering off did the job. :o/
