subject:"RE\: Setting up shared access to gpg on a UNIX server"

Re: Setting up shared access to gpg on a UNIX server

2014-01-31 Thread NdK

Il 31/01/2014 01:29, DUELL, BOB ha scritto:

> A couple folks (Diego and Johannes) mentioned using a smartcard or a
> token.  I think a smartcard refers to a piece of hardware, but I
> don't know what a "token" means.  Our server is in a datacenter and
> I'm sure I cannot attach any sort of hardware.
A token is a bundle of a smartcard and a reader, and usually looks like
an USB stick.
If you have a dedicated (non virtual) server, usually you can ask to
have a token plugged in. If you're using a virtual server, then it's
harder and there are other possible attacks against your key material,
as previously discussed on-list.

> I might be able to use a software only solution; I've heard something
> about "agents", but don't really understand any details.  Can such an
> agent be used, one that I can start and load the key with passphrase
> at system startup?
I don't know if such an agent exists.

BYtE,
 Diego.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Setting up shared access to gpg on a UNIX server

2014-01-30 Thread DUELL, BOB

Hi again,

Firstly, as a Windows Outlook user, I've never figured out the correct 
etiquette on formatting responses to list-server messages, so I'm just going to 
post a new message without previous references.

Taking previous comments to heart, I've altered my "home directory" permissions 
to remove write access to every other than the owner (755).  I believe this 
plugs the hole that would have allowed others to replace files as Peter 
demonstrated.

The reason I allowed "write" was to overcome an error message users were 
getting.  Apparently, gpg needs to create some file in that location.  Allowing 
"write" permission was the first thing that came to mind when I first started 
using gpg and it's stayed that way for several years.

I was not previously familiar with the --keyring and --secret-keyring options 
and I believe that helps me a lot.  So now, to encrypt files:

gpg --keyring /opt/app/apps/dbmprod/gpg/pubring.gpg --always-trust 
--no-secmem-warning 
--recipient 

I found I had to add the --always-trust option to prevent a prompt for "batch" 
processes.  The keys are all "trusted" in my "home directory, but I didn't find 
an option to point to the "trustdb" file.

And to decrypt a file:

gpg --secret-keyring /opt/app/apps/dbmprod/gpg/secring.gpg 
--keyring /opt/app/apps/dbmprod/gpg/pubring.gpg --no-secmem-warning 
--output 
--decrypt .gpg

It seems that since my "secring" only contains the private key used by vendors 
to send files to us, I do not need to actually specify the key by name.  My 
initial testing shows it works well.

How does that look?

>From what I can tell, the remaining risk is that anyone can copy and use my 
>private key because I do not have it passphrase protected. I'd be happy to add 
>a passphrase, as long as I can figure out how to make the key easily used by 
>any user.

A couple folks (Diego and Johannes) mentioned using a smartcard or a token.  I 
think a smartcard refers to a piece of hardware, but I don't know what a 
"token" means.  Our server is in a datacenter and I'm sure I cannot attach any 
sort of hardware.  I might be able to use a software only solution; I've heard 
something about "agents", but don't really understand any details.  Can such an 
agent be used, one that I can start and load the key with passphrase at system 
startup?
 
Thanks again for the comments; very helpful so far!

Bob

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Setting up shared access to gpg on a UNIX server

2014-01-30 Thread Johannes Zarl

On Thursday 30 January 2014 11:49:47 Peter Lebbing wrote:
> If you're trying to achieve by the 744 what I think you're trying to
> achieve, namely that users can't change the files, I think you're
> mistaken[1]. Look at the following session I just did[2]:

> The thing is, you're not allowed to change any files, but you are allowed to
> replace those files by your own.

Just in case this isn't clear to everybody already: The write-permission on 
the directory are the problem here, not the 744 on the file.

> gpg does stuff with a bunch of files in the homedir, and I suspect
> that some might need the permission to overwrite files one of your other
> users created.

If one really wanted to use a shared secret key in this way (as opposed to a 
token), I would only share the keyrings, not the home directory.

Like that (only a mockup):

ls -la /opt/app/apps/dbmprod/gpg
-rwxr-x--- 1 root gpgusers  .
-rw-r- 1 root gpgusers  secring.gpg
-rw-r- 1 root gpgusers  pubring.gpg

Limiting readability to a user group would at least limit the access to the 
key material w.r.t. unprivileged processes running on the same machine.

gpg --secret-keyring /opt/app/apps/dbmprod/gpg/secring.gpg 
  --keyring /opt/app/apps/dbmprod/gpg/pubring.gpg 
  ...

As to what Bob wrote in the original message:
> I suppose that my use of a private key without a passphrase might be of some
> concern, but I never figured out a better way to do this.  In other words,
> if the single key required a passphrase, I'd have to give out that
> passphrase to everyone, so what would be the point?

It might not make much of a difference, but having a strong passphrase would 
still protect copies of your key lying on some backup.

Other than that, I guess Diego's advice is sound -- limiting the potential 
damage by using a token/smartcard.

  Johannes

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Setting up shared access to gpg on a UNIX server

2014-01-30 Thread Peter Lebbing

On 30/01/14 02:14, DUELL, BOB wrote:
> On my server, I created a directory named /opt/app/apps/dbmprod/gpg and set
> the permissions to global access (777).

> I set the permission on all the files in this directory to allow global
> "read" access (744).

If you're trying to achieve by the 744 what I think you're trying to achieve,
namely that users can't change the files, I think you're mistaken[1]. Look at
the following session I just did[2]:

-8<->8-

$ ll -R
.:
total 4
drwxrwxrwx 2 root root 4096 Jan 30 11:40 gpg

./gpg:
total 4
-rwxr--r-- 1 root root 17 Jan 30 11:40 gpg.conf
$ cd gpg
$ cat gpg.conf
intended content
$ echo "unwanted addition" >>gpg.conf
bash: gpg.conf: Permission denied
$ cp -a gpg.conf gpg.conf.new
$ echo "unwanted addition" >>gpg.conf.new
$ mv gpg.conf.new gpg.conf
mv: try to overwrite ‘gpg.conf’, overriding mode 0744 (rwxr--r--)? y
$ cat gpg.conf
intended content
unwanted addition
$ ll
total 4
-rwxr--r-- 1 peter peter 35 Jan 30 11:42 gpg.conf

-8<->8-

The thing is, you're not allowed to change any files, but you are allowed to
replace those files by your own. The sticky bit might help, but I'm not sure.
gpg does stuff with a bunch of files in the homedir, and I suspect that some
might need the permission to overwrite files one of your other users created.

I haven't thought about the rest of your setup, this is just one issue that
stood out to me so I commented on that.

HTH,

Peter.

[1] Additionally, why are all files executable?
[2] ll is shorthand for "ls -l"

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Setting up shared access to gpg on a UNIX server

2014-01-29 Thread Daniel Kahn Gillmor

On 01/30/2014 01:59 AM, NdK wrote:
> Il 30/01/2014 02:14, DUELL, BOB ha scritto:
> 
>> I will appreciate any and all comments.  If there is a "better way" to do 
>> this, I'd love to learn.
> Every user in the group could "leak" the secret key. At least put it
> into a smartcard/token connected to the server: they'll just be able to
> *use* it.

Every user in the group could also destroy the secret key, if the
directory itself is still mode 777 -- write access on a directory means
you can unlink files from that directory, even if you don't have write
access to those files in particular.

A user just has to do:

 rm /opt/app/apps/dbmprod/gpg/secring.gpg

and it seems likely that you will be unable to decrypt any further
messages (unless someone has already leaked the secret key as NdK
suggests, in which case maybe you could ask them for a copy :P)

--dkg



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Setting up shared access to gpg on a UNIX server

2014-01-29 Thread NdK

Il 30/01/2014 02:14, DUELL, BOB ha scritto:

> I will appreciate any and all comments.  If there is a "better way" to do 
> this, I'd love to learn.
Every user in the group could "leak" the secret key. At least put it
into a smartcard/token connected to the server: they'll just be able to
*use* it.

BYtE,
 Diego.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Setting up shared access to gpg on a UNIX server

RE: Setting up shared access to gpg on a UNIX server

Re: Setting up shared access to gpg on a UNIX server

Re: Setting up shared access to gpg on a UNIX server

Re: Setting up shared access to gpg on a UNIX server

Re: Setting up shared access to gpg on a UNIX server

6 matches

Site Navigation

Mail list logo

Footer information