Bug#600293: gnupg-agent: gpg-agent's ssh-agent support claims to delete loaded secret keys, but does not.

Fri, 15 Oct 2010 09:03:19 -0700 

Package: gnupg-agent
Version: 2.0.14-2
Severity: normal

gpg-agent's ssh-agent capabilities are reporting success while
ignoring the user's command to remove a secret key from its key store.

you can see it this way:

 # create an ssh secret key for testing purposes:
 ssh-keygen -q -t rsa -b 1024 -f testkey -N abc123
 # launch a new shell wrapped by the gpg-agent's ssh-agent capabilities:
 gpg-agent --enable-ssh-support --daemon sh


within the new shell, do:

 ssh-add -l ## should be no identities listed
 ssh-add testkey
 ssh-add -l ## should be one identity listed (testkey)
 ssh-add -d testkey
 ssh-add -l ## should be no identities listed, but testkey remains

At the very least, if gpg-agent's ssh-agent support is incapable of
removing cached identities, it should return a failure, the way it
does for ssh-add -D.  Otherwise, users of ssh-add -d are being
decieved into thinking that they have safely disposed of the cached
copy of their secret key material.

Between this and the fact that the undeletable cached secret keys are
actually stored on disk (in $GNUPGHOME/private-keys-v1.d/), i consider
this to be fairly irresponsible treatment of sensitive material by a
tool that users expect to know better. :(

     --dkg

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.36-rc6-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages gnupg-agent depends on:
ii  libc6                         2.11.2-6   Embedded GNU C Library: Shared lib
ii  libgcrypt11                   1.4.5-2    LGPL Crypto library - runtime libr
ii  libgpg-error0                 1.6-1      library for common error values an
ii  libpth20                      2.0.7-16   The GNU Portable Threads
ii  libreadline6                  6.1-3      GNU readline and history libraries
ii  pinentry-gtk2 [pinentry]      0.8.0-1    GTK+-2-based PIN or pass-phrase en

Versions of packages gnupg-agent recommends:
ii  gnupg                         1.4.10-4.1 GNU privacy guard - a free PGP rep
ii  gnupg2                        2.0.14-2   GNU privacy guard - a free PGP rep

gnupg-agent suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to