Hello, I'm using the GnuPG card for signing, SSH, password-store (Firefox web passwords) and locking un-locking the KDE desktop on card-insert or withdraw. After resolving some technical (FreeBSD) issues, I now have it on daily usage on my netbook and my workstation in the office.
One problem comes obviously in mind: Someone with priv access to your
workstation,
for example IT personal, could relatively easy steal your passwords, just
setting your
environment and waiting for the moment that you have unlocked the card with the
PIN;
than he/she could run as root:
# GNUPGHOME=/home/guru/.gnupg-ccid export GNUPGHOME
# PASSWORD_STORE_DIR=/home/guru/.password-store export PASSWORD_STORE_DIR
# pass Business/cheese-whiz-factory
gpg: WARNING: unsafe ownership on homedir '/home/guru/.gnupg-ccid'
cheese
It would also not help to just withdraw the card after any short usage, for
example to
fire up a SSH session. The attacker could just sit in background waiting for
this short moment,
which is long enough to copy all your passwords in to clear mode and send them
away.
How is this supposed to be managed?
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
