Re: Using gnupg to crypt credentials used by application to access a database server

2018-07-17 Thread Werner Koch 
On Mon, 16 Jul 2018 09:51, w...@gnupg.org said:

> If you use a smartcard there is a hack in scdaemon which allows to work
> without a PIN. 

Here is what scdaemon's code has to say about this hack:

   GnuPG makes special use of the login-data DO, this function parses
   the login data to store the flags for later use.  It may be called
   at any time and should be called after changing the login-data DO.

   Everything up to a LF is considered a mailbox or account name.  If
   the first LF is followed by DC4 (0x14) control sequence are
   expected up to the next LF.  Control sequences are separated by FS
   (0x18) and consist of key=value pairs.  There are two keys defined:

F=

Where FLAGS is a plain hexadecimal number representing flag values.
The lsb is here the rightmost bit.  Defined flags bits are:

  Bit 0 = CHV1 and CHV2 are not syncronized
  Bit 1 = CHV2 has been set to the default PIN of "123456"
  (this implies that bit 0 is also set).

P=

Where PINPAD_REQUEST is in the format of:  or ,.
N for user PIN, M for admin PIN.  If M is missing it means M=N.
0 means to force not to use pinpad.

I have not used this for ages but something like

  $ printf "\n\x14F=03\x18" >login.data
  $ gpg --card-edit
  gpg/card> admin
  gpg/card> login 

pgpvJBPX0Ze_j.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Forwarding both gpg and ssh agents

2018-07-17 Thread Peter Lebbing 
On 16/07/18 23:35, Chris Coutinho wrote:
> Although some sources note the potential security holes of
> using this method, it works great for my use case

Well, yes, even the man page warns about the security implications. 
There's a reason I said "it's quite a while back" :-). I try to avoid 
it. The security implications are severe.

If it's just about passing a firewall, the ProxyJump / -J options of 
OpenSSH are much more useful. You can even chain them easily to pass 
ever more firewalls :-).

ssh -J outerbastion.example.org -J nextlayer.example.org destination.example.org

> https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/

The ProxyCommand mentioned there has been made more convenient with the 
ProxyJump option that was added later; especially if we're talking about 
multiple jump hosts.

Agent forwarding is really about connecting two remote hosts together, 
which Proxy can't do.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users