On 11/21/06, Jorge Almeida <[EMAIL PROTECTED]> wrote:
On Tue, 21 Nov 2006, Mick wrote: >>> They are only stored in locked memory; they are never on disk >>> unencrypted. Anyone that can read locked memory can access them, but this >>> is very few users/processes on Linux -- and besides those same users will >>> be able to read the key as you authenticate even if you don't use >>> ssh-agent, as long as they time things right. >> >> OK, this sounds better! I posted to the gnupg-users, asking a similar >> question about gpg-agent. I guess gpg-agent works the same way. > > Please post back your findings! > Well, no responses yet in the gnupg-users list, so there are no findings to post! (Let's wait at least a few hours :))> What happens to the /tmp/ directory & socket file after the user logs out? > Does it get deleted by the ssh-agent shutdown script? > I didn't start using ssh-agent yet, but I tested it from the command line and the directory was removed when I killed the ssh-agent process. > I am asking this because I seem to continuously accumulate a load of gpg-agent > directories and socket files into my /tmp. Unless of course gpg-agent works I suppose that has to do with the agent(s) working as daemons? I don't like that kind of setup. This is what I intend to (try to) do: - One fixed socket, in some dedicated directory (no /tmp, no random name for the socket) - The socket name as a fixed env variable, set in the shell config files - Hence, no need to eval, etc - No daemon (i.e. no backgrounding). Just a service supervised by daemontools. Logs go to a directory of my choosing and if the agent dies, it is ressurrected, and the socket (with the same name) is recreated (of course, keys must be added, then) - A perl script to interact with the service, just in case. I think this is not difficult to do, unless I grossly misunderstood something essential. (Comments, anyone?) I just don't see the need to run the agent as subordinate of an X session or whatever (please someone correct me if I'm wrong!) And if I don't want the service running when I'm not logged in, I could bring it down with the perl script (in ~/.bash_logout, maybe?) For gpg-agent, I'm not so sure, but I hope it can be done too. > on a different principle all together. My start up & shutdown scripts are > in /etc/X11/Sessions/fluxbox. Are they correct for this task? > ================================================ > eval "$(gpg-agent --daemon)" > /usr/bin/startfluxbox > kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2` > ================================================ > > Or should I have another line to 'rm -Rf /tmp/gpg-*' >
ssh-agent /bin/sh When you exit the shell, ssh-agent exits too (after cleaning up). Running the agent as a daemon means you have to tell it when to shut down as well (how would it know when to stop?). -- Justin Patrin -- gentoo-user@gentoo.org mailing list
