fwiw, i'd be fine with enabling protection against ptrace for gpg-agent, even if
that doesn't fix all the other ways a process can be attacked from another process.
if there are multiple holes, we should plug the ones we can plug, to increase
the pressure to make the other ones fixable.
Done with commit 9bca96d. Here is how to use it:
$ gpg-connect-agent > passwd --verify 2C1103C5C84AAD061B5E3221C048A93D878F7EEE OK > passwd --verify 2C1103C5C84AAD061B5E3221C048A93D878F7EEE ERR 83886179 Operation cancelled <Pinentry> > passwd --verify 2C1103C5C84AAD061B5E3221C048A93D878F7EEE ERR 67108875 Bad passphrase <GPG Agent>
For the OK I entered the correct passpharse, for the bad passpharse I entered a
bad passphrase three times in a row.
We can already do a dummy signature, but it feels sloppy for several reasons:
static text or a dynamic (random) block?
concievable that a dummy signature could be abused/misused if the material being
signed turns out to have some other meaning.
monitoring what signatures have ever been made by a given key. Dummy signatures
introduce spurious signing events that are indistinguishable from real
signatures in this log
and returning feedback.
Why not doing a dummy signing then?
Just checked:
/* Reset the pinentry (in case of popup messages). */ agent_reset_query (ctrl);
Thus the pinentry is only closed if it is used as a simple popup winode (e.g.
"Insert card with serial number xxx") but not for a regular Pinentry.
Actually there should be no need for gpg to notigy gpg-agent and thus pinentry
about a Ctrl-C. Due to Ctrl-C the gpg process dies and thus the connection to
gpg-agent receives an EOF/SIGPIPE and gpg-agent will shuot it down. Thus the
connection cleanup handler of gpg-agent needs to kill an open pinentry - I
tought this is already done.
Or is it the case that gpg does not see the Ctrl-C?
Hm, you make a good point about this being undesirable in the general case --
access to a normal gpg-agent shouldn't provide an attacker with a way to guess
passwords silently.
However, consider the mailpile case -- where gpg-agent is running on the
webserver, and the login webpage wants to verify a given user based on the
password for the user's secret key (and wants to avoid keeping some extra
/etc/shadow-equivalent file lying around).
Maybe such an application would start gpg-agent in a different/simpler mode? Or
should we recommend that such an application test the provided passphrase in
some other way, without using gpg-agent at all?
Hi dkg,
On the mailing list and in T1928, we discussed
why it shouldn't be possible for a program to pass the passphrase to gpg agent.
This feature request is at odds with the conclusion drawn there. Should this
issue be closed as WONTFIX?
Thanks,
:) Neal
It's fixed in 2.0.18 (as the T1203 was closed).
The patch is a work for problem somewhere in the PC/SC implementaion. I am also
not sure whether a pthread_cancel for a buggy PC/SC library is a good idea.
Terminating the process seems to be a better solution.
If gpgtools wants to apply this pacth, they might of course do so but I don't
want to apply it upstream in particular not to an older version (2.1 is current).
As I wrote to #712744, distribution nowadays is conservative enough for its
default kernel settings, and it doesn't require each application to have special
settings.
I think that we will be able to close this soon.
Thanks werner -- I've filed an upstream issue to bring awareness of the change
to the software I use that was affected (duply/duplicity), I'm sure this is
going to pop up for others as 2.1 becomes more widely adopted. Maybe add
something to the release notes or docs for '--passphrase-fd 0' so folks know a
config change is needed in their apps and gpg-agent? Regardless, I appreciate
your help.
(marking as resolved)
If you add it to gpg.conf the Pinentry won't be used and there are fir sure
cases where things won't work. In an unattended use I can't see a problem right
now.
We can't change the behaviour of --passpharse-fd; it is widely used and:
if ( !opt.batch && opt.pinentry_mode != PINENTRY_MODE_LOOPBACK)
{ /* Not used but we have to do a dummy read, so that it won't end
up at the begin of the message if the quite usual trick to
prepend the passphtrase to the message is used. */think would break or - worse - may insert the passphrase into the message.
The passphrase is still used for symmetric only encryption in batch mode.
Roger that, thanks - I've tested it on a VM with my keys and things seem "like
they used to be" for scripting an automated passphrase entry. I specified them
in my ~/.gnupg/pgp.conf and ~/.gnupg/gpg-agent.conf since editing many
individual softwares is not possible at this time, it needs to be backwards
compatible.
What side affects (breaking things?) does having these options permanently
enabled in configs are there? Having the allow in gpg-agent.conf is harmless,
but what about the client side gpg.conf?
If client gpg '--passphrase-fd 0' is useless without '--pinentry-mode loopback',
why not make this an automatic added option (internally) if '--passphrase-fd 0'
is specified? Of what use with gnupg-2.1.x is '--passphrase-fd 0' without
'--pinentry-mode loopback'?
I double-checked the official docs, there's no mention of needing these new
loopback settings in the section for --passphrase-fd 0:
https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html#GPG-Esoteric-Options
"If you use 0 for n, the passphrase will be read from STDIN." (but as we know
here, it's not unless the new loopback options are added)
Like gpgsm has done from its very beginnong, gpg now also does not pknow
anything about the secret keys. This is all delagted to gpg-agent. This means
that telling gpg a passphrase is useless.
But wait. There is a workaround: gpg has the new option
--pinentry-mode mode
Set the pinentry mode to mode. Allowed values for mode are:
default
Use the default of the agent, which is ask.
ask Force the use of the Pinentry.
cancel Emulate use of Pinentry's cancel button.
error Return a Pinentry error (``No Pinentry'').
loopback
Redirect Pinentry queries to the caller. Note that
in contrast to Pinentry the user is not prompted
again if he enters a bad pass- word.Thus by using
gpg --pinentry-mode=loopback
you can do basically the same as with 1.4. It is well tested and
slighly different than in 1.4. Uou also need to configure gpg-agent
with
--allow-loopback-pinentry
Allow clients to use the loopback pinentry features; see the
option pinentry-mode for details.A few Arch users are reporting the same regression/breakage, thread here:
Documented in master. Will be used by 2.0 as weel.
What is the threat model for this? If you are able to ptrace a process you can
do all other kind of stuff, like replacing gpg with your own code. If the box
has been taken over, we are in game-over state.
Disabling core dumps is a different issue because a core dump leaves traces of
the process on the disk.
I think that original reporter's intention is to prevent attaching by ptrace.
By PR_SET_DUMPABLE disabled, ptrace PTRACE_ATTACH won't work any more.
This would be better if we care about kernel compatibility.
In http://bugs.debian.org/714107, I found that setrlimit64 doesn't work reliably
for 2.6.34 or older. PR_SET_DUMPABLE seems to work for even 2.4.x.
I just backported the new ssh-agent code from master to the 2.0 branch. Thus
2.0.21 will have this support.
Hello Werner,
GnuPG uses setrlimit do disable core dumps. It has always done so. See
common/sysutils.c:disable_core_dumps. Do you have a test case which shows that
it does not work?
This is not a bug. The description of --max-cache-ttl reads:
Set the maximum time a cache entry is valid to @var{n} seconds. After
this time a cache entry will be expired even if it has been accessed
recently. The default is 2 hours (7200 seconds).Thus even if you set the cache-ttl-ssh > max-cache-ttl, it will expire after
max-cache-ttl seconds.
Would be great to have included if 2.1 is the ecc release.
I would love to just have 1 agent for everything.
There is no ECC support for the agent, yet. The ssh protocol is different from
the OpenPGP Protocol. It should be easy to add support, though.
Please re-open if you still see this problem.
Meanwhile even 2.0.18 is out. Closing it.
Fixed for 2.0 and 2.1. Thanks.
Wint 2.1 the protect-tools has been dropped. Thus we won't fix it in 2.0.
Note: T1190 is a bug report regarding this.
Tested with current gnupg and pinentry-qt4:
pinentry qt4 (git 5190773293bc38550bbc8aeb1b539bfb47a47c78) qt 4.7 gpg (GnuPG) 2.1.0-git328ac58 libgcrypt 1.5.0-gitb90be28
Ok, using TMPDIR is great. I hope that 2.1 still provides the --no-use-standard-
socket option. Stating that "an option to specify the socket name does not make
sense because other tools need to find gpg-agent" doesn't make sense, unless gpg-
agent stopped providing $GPG_AGENT_INFO.
This has been changed in the current version:
I did not have a chance to test 2.0.17 or the patch yet, but for the archive:
I just have an instance of gpg-agent, which does not allow ttys matching
"/dev/pts/??", i.e. two digits. On three-digit-ttys it works. Maybe the
behaviour depends on the length of tty when the gpg-agent was started first or
something similar.
A 2.0.17 will be released soon.
oops. Website fixed. The branch names are
STABLE-BRANCH-2-0
STABLE-BRANCH-1-4
Note the dashs. We don't use a dot because the names date back to CVS and that
does not allow a dot in the name.
From http://gnupg.org/download/cvs_access.en.html:
the stable 2.0 version (currently version 2.0.16) is known as STABLE-BRANCH-2.0;
the stable 1.4 version of GnuPG (1.4.11) is known under as STABLE-BRANCH-2.0.
I guess I should look at the first of the two :)
STABLE-BRANCH-2-0 344d72b
has the fix. Patch below.
STABLE-BRANCH-2-0 344d72b
has the fix.
Sounds good. I'll test it as soon as we have a kk package for the next release.
Duplicate of T1203
This looks pretty much like T1311.
You are right, that is faulty. The correct code is:
Should probably beretested with Gnupg 2.1(beta or later)
because agent startup might have changed.