Re: A postmortem on Efail

2018-05-20 Thread Dmitrii Tcvetkov 
On Sun, 20 May 2018 02:26:47 -0400
"Robert J. Hansen"  wrote:

> Writing just for myself -- not for GnuPG and not for Enigmail and
> definitely not for my employer -- I put together a postmortem on
> Efail. You may find it worth reading.  You may also not.  Your
> mileage will probably vary.  :)
> 
> https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08
> 
Thank you for the postmortem.

I don't know any users of GnuPG who still have to work with non-MDC
OpenPGP messages (frankly, don't know any GnuPG users IRL, but working
on it). But it seems to me that GnuPG is so widely widespread because
it was so stable and there was no breaking upgrades, so users didn't
expect any breaking change at all.

I, as a user, don't need support for non-MDC messages and surely PGP
2.6, but I can imagine how challenging it can be to upgrade a system,
which was state-of-the-art years ago, but right now is obsolete. Really
it's not an upgrade, but rebuild from the scratch. And some parts of
the system are probably proprietary, so cooperation from vendors is
required. And the fact that obsolete features weren't dropped due to
users feedback means that GnuPG upstream understands this too. But
something has to change, it can't go like this forever, we do need
breaking changes to remove outdated parts. 
I trust upstream's judgement.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: use gpg-agent for ssh login

2018-05-04 Thread Dmitrii Tcvetkov 
> On 04/05/18 08:58, Dmitrii Tcvetkov wrote:
> > gpg-agent will list identity only if key has Authenticate capability
> > and it's keygrip is listed in ${HOME}/.gnupg/sshcontrol  
> 
> That's incorrect. If you insert an OpenPGP smartcard with a key in the
> Authenticate slot, it will make that key available to the SSH agent
> system. That is regardless of listing in sshcontrol.
> 
> The difference is that if you list it in sshcontrol, and a server
> indicates acceptance of that key, the pinentry will prompt you to
> insert that smartcard for authentication even when the smartcard is
> not inserted. Whereas if it is not in sshcontrol and not currently
> inserted either, the key will never be offered to the server in the
> first place.

Interesting, thanks you.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: use gpg-agent for ssh login

2018-05-04 Thread Dmitrii Tcvetkov 
> Hi,
> 
> I'm trying to configure gpg-agent and SSH with a GnuPG Key Card
> Version 3.3, but ssh only drops the message: "the agent has no
> identities." in response to "ssh-add -L".
> 
> My system:
> Linux (K)ubuntu 16.04
> 
> My software versions:
> gpg 1.4.20
> gpg-agent 2.1.11
> libgcrypt 1.6.5
> 
> My configuration:
> Starting the agent:
> killall scdaemon
> killall gpg-agent
> eval $( gpg-agent --daemon --enable-ssh-support )
> Setting the environment variables:
> SSH_AGENT_PID=2588
> GPG_AGENT_INFO=$HOME/.gnupg/S.gpg-agent:2588:1
> SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
> GPG_TTY=/dev/pts/1 (corresponding to used terminal)
> 
> note that 2588 is the PID of the gpg-agent here.
> scdaemon is running (started by gpg-agent)
> pcscd is NOT running.
> 
> .gnupg/gpg.conf:
> use-agent
> 
> .gnupg/gpg-agent.conf:
> enable-ssh-support
> default-cache-ttl 21600
> default-cache-ttl-ssh 21600
> pinentry-program /usr/bin/pinentry-gtk-2
> 
> After carefully reviewing my configuration and restarting my agent I
> still get a message "The agent has no identities." in response to
> "ssh-add -L". However, the status of the smart-card looks fine and
> all the keys are present on the card. Why does ssh not see the keys?
> Does anyone have a suggestion for changes? Are there specific issues
> with the card version 3.3?

gpg-agent will list identity only if key has Authenticate capability
and it's keygrip is listed in ${HOME}/.gnupg/sshcontrol

To get key's keygrip you can use "gpg -K --with-keygrip". You want to
list keygrip of the specific subkey with the Authenticate capability,
not it's primary key.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why gpg 2.1.9 cannot export secret key without passphrase?

2015-11-27 Thread Dmitrii Tcvetkov 
On Fri, 27 Nov 2015 12:05:36 +0100
Guilhem Moulin  wrote:
>I think this is incorrect.  gpg --export's output is always in the
>OpenPGP format (possibly armored), while as of 2.1 private material is
>stored in another format (in ~/.gnupg/private-keys-v1.d/$KEYGRIP.key).
>Thus the agent asks for the passphrase to decrypt the private key, and
>gpg reencrypts it on the fly (using the same passphrase).
Yes, I confused it with OpenSSH key output, sorry.

On Fri, 27 Nov 2015 14:58:01 +0200
Andrey Utkin  wrote:
> P. S. I haven't received 2 of 3 replies to my gmail mailbox, had to go
> to maillist archive to review the thread. Have this happened to
> anybody else, is this a known issue?
> 
I'm sorry, reason is I replied only to mailing list without sending
message directly to your address.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why gpg 2.1.9 cannot export secret key without passphrase?

2015-11-27 Thread Dmitrii Tcvetkov 
On Tue, 24 Nov 2015 03:16:31 +0200
Andrey Utkin  wrote:

>  $ gpg --export-secret-keys
> (pops a Xorg dialog window from my console, driving me nuts)
> (i give empty passphrase)
> (it asks me whether i am sure I want no passphrase)
> (I say yes)
> gpg: key : error receiving key from agent: No passphrase
> given - skipped
> 
> Why is there such a _policy_?
> Maybe I am lost and I am using Windows which re-asks everything and
> still refuses to do what I want?
> 

Hello.

In this case passphrase is needed to decrypt private key from keyring.
Becuase of passphrase is not provided gpg-agent can't give gpg the
private key. 

Private key exports in cleartext.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users