LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-08-2013, 01:37 PM   #1
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian, Arch, Xubuntu
Posts: 186

Rep: Reputation: 13
Thunderbird/Enigmail: How can I make gpg-agent absent-minded?


I've recently setup Thunderbird with Enigmail on my Xubuntu box. The Enigmail was automatically configured to use gpg-agent for passphrase handling. I've imported my public and private pgp keys into gpg, and I've successfully setup IMAP on Thunderbird. Now whenever I receive an encrypted email I can decrypt it by clicking on it - this is where thunderbird/enigmail/gpg-agent prompts for the private key passphrase.

Once I enter it I can decrypt the mail normally. The thing is that I only have to enter the passphrase once per session. Every other email will be decrypted automatically. The only problem is that the gpg-agent is everknowing. It doesn't seem to forget the authentication no matter how long I keep the PC running (even with thunderbird closed). This kind of bugs me because I'd like the system to forget the authentication after 5 minutes since the pgp private key was last needed. Is there a way to do this for my setup?

I've read some docs about having to specify some settings for gpg-agent. I created a file named gpg-agent.conf in my ~/.gnupg/ folder and put these settings inside. They don't seem to have an effect though:
Quote:
pinentry-program /usr/bin/pinentry-gtk-2
default-cache-ttl 300
max-cache-ttl 3600
 
Old 08-08-2013, 02:22 PM   #2
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 805

Rep: Reputation: 158Reputation: 158
Do you have the OpenPGP menu option in Thunderbird? There is a "Preferences" option in the menu. On the "Basic" tab, you can set the passphrase idle timeout value. I have mine set to 30 minutes, but you can set it to 5 minutes or 1 minute, whatever you like.
 
Old 08-08-2013, 02:33 PM   #3
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian, Arch, Xubuntu
Posts: 186

Original Poster
Rep: Reputation: 13
The option is there and is set to 5 minutes. But when I click the OK button, I get the following warning:

Quote:
Your system uses gpg-agent or a similar tool for passphrase handling (gpg-agent is mandatory if GnuPG v2.0 or later is used). Since caching of passphrases is handled by gpg-agent, the respective timeout settings in OpenPGP are disregarded. In order to change passphrase caching options, please configure your gpg-agent tool.
 
Old 08-08-2013, 03:21 PM   #4
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 805

Rep: Reputation: 158Reputation: 158
I don't use gpg-agent, so I don't know much about it. Did you send the gpg-agent daemon a SIGHUP after you added the default and max cache TTL options?

From the man page:

Quote:
SIGHUP This signal flushes all cached passphrases and if the program has been started with a configuration file, the configuration file is read again. Only certain options are honored: quiet, verbose, debug, debug-all, debug-level, no-grab, pinentry-program, default-cache-ttl, max-cache-ttl, ignore-cache-for-signing, allow-mark-trusted and disable-scdaemon.
EDIT: Reading up on the doc, it looks like you also need to add "use-agent" to the options in ~/.gnupg/gpg.conf

Last edited by Z038; 08-08-2013 at 03:27 PM. Reason: add info
 
Old 08-08-2013, 03:47 PM   #5
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian, Arch, Xubuntu
Posts: 186

Original Poster
Rep: Reputation: 13
use-agent is already present and I didn't send any SIGHUP's. Instead I rebooted the machine.

So...?
 
Old 08-08-2013, 07:10 PM   #6
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,618
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by Z038 View Post
Do you have the OpenPGP menu option in Thunderbird? There is a "Preferences" option in the menu. On the "Basic" tab, you can set the passphrase idle timeout value. I have mine set to 30 minutes, but you can set it to 5 minutes or 1 minute, whatever you like.

I see a "never ask for passphrase" over here on the same Preferences dialog...

YMMV

Enigmail 1.1.2 on Tbird 3.1.9
 
Old 08-08-2013, 09:28 PM   #7
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 805

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by Habitual View Post
I see a "never ask for passphrase" over here on the same Preferences dialog...

YMMV

Enigmail 1.1.2 on Tbird 3.1.9
You should check that box if your pgp key is not protected by a passphrase.

Why someone would have a pgp key that was not protected by a passphrase eludes me.
 
Old 08-08-2013, 09:35 PM   #8
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 805

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by displace View Post
use-agent is already present and I didn't send any SIGHUP's. Instead I rebooted the machine.

So...?
That should certainly do the trick. :-)

Are you also using keychain? It has the ability to also start gpg-agent.
 
Old 08-09-2013, 01:14 AM   #9
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian, Arch, Xubuntu
Posts: 186

Original Poster
Rep: Reputation: 13
I have a default Xubuntu installation, and I've only just started using gpg. There are a bunch of public keys tn the database and my private key. I don't use keychain.


I'd really like to know why gpg-agent refuses to obey the settings in that config file.
 
Old 08-09-2013, 02:35 AM   #10
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 805

Rep: Reputation: 158Reputation: 158
The reason I mentioned keychain is because it can also start gpg-agent, and that might cause conflicts with the one you are starting via your ~/.gnupg/gpg.conf. You said you aren't using keychain, so that's good, but you should check to see that only one copy of gpg-agent is running. If there is more than one (per logged on user) then you could experience conflicts due to different cache ttl being specified.

Verify you only have one gpg-agent running.

Code:
ps -ef | grep gpg
If there is only one, then you should step through gpg.conf and gpg-agent.conf and verify all your settings are correct.

You should also have a file called ~/.gpg-agent-info with information about the currently running gpg-agent process.
 
Old 08-09-2013, 10:13 AM   #11
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian, Arch, Xubuntu
Posts: 186

Original Poster
Rep: Reputation: 13
I'm the only user on this computer.
"ps -ef | grep gpg" shows this:
Quote:
displace 2262 2215 0 15:33 ? 00:00:00 /usr/bin/ssh-agent /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/displace/.gnupg/gpg-agent-info-boxedbone /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch startxfce4
displace 2263 2215 0 15:33 ? 00:00:00 /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/displace/.gnupg/gpg-agent-info-boxedbone /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch startxfce4
displace 2638 2578 0 15:37 pts/0 00:00:00 grep --color=auto gpg
I guess I should have posted my config files in the beginning. Here's gpg.conf:
Quote:
# Options for GnuPG
# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
# 2010 Free Software Foundation, Inc.
#
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Unless you specify which option file to use (with the command line
# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf
# by default.
#
# An options file can contain any long options which are available in
# GnuPG. If the first non white space character of a line is a '#',
# this line is ignored. Empty lines are also ignored.
#
# See the man page for a list of options.

# Uncomment the following option to get rid of the copyright notice

no-greeting

# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.

#default-key 621CC013

# If you do not pass a recipient to gpg, it will ask for one. Using
# this option you can encrypt to a default key. Key validation will
# not be done in this case. The second form uses the default key as
# default recipient.

#default-recipient some-user-id
#default-recipient-self

# Use --encrypt-to to add the specified key as a recipient to all
# messages. This is useful, for example, when sending mail through a
# mail client that does not automatically encrypt mail to your key.
# In the example, this option allows you to read your local copy of
# encrypted mail that you've sent to others.

#encrypt-to some-key-id

# By default GnuPG creates version 4 signatures for data files as
# specified by OpenPGP. Some earlier (PGP 6, PGP 7) versions of PGP
# require the older version 3 signatures. Setting this option forces
# GnuPG to create version 3 signatures.

#force-v3-sigs

# Because some mailers change lines starting with "From " to ">From "
# it is good to handle such lines in a special way when creating
# cleartext signatures; all other PGP versions do it this way too.

#no-escape-from-lines

# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell
# GnuPG which is the native character set. Please check the man page
# for supported character sets. This character set is only used for
# metadata and not for the actual message which does not undergo any
# translation. Note that future version of GnuPG will change to UTF-8
# as default character set. In most cases this option is not required
# as GnuPG is able to figure out the correct charset at runtime.

#charset utf-8

# Group names may be defined like this:
# group mynames = paige 0x12345678 joe patti
#
# Any time "mynames" is a recipient (-r or --recipient), it will be
# expanded to the names "paige", "joe", and "patti", and the key ID
# "0x12345678". Note there is only one level of expansion - you
# cannot make an group that points to another group. Note also that
# if there are spaces in the recipient name, this will appear as two
# recipients. In these cases it is better to use the key ID.

#group mynames = paige 0x12345678 joe patti

# Lock the file only once for the lifetime of a process. If you do
# not define this, the lock will be obtained and released every time
# it is needed, which is usually preferable.

#lock-once

# GnuPG can send and receive keys to and from a keyserver. These
# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP
# support).
#
# Example HKP keyserver:
# hkp://keys.gnupg.net
# hkp://subkeys.pgp.net
#
# Example email keyserver:
# mailtogp-public-keys@keys.pgp.net
#
# Example LDAP keyservers:
# ldap://keyserver.pgp.com
#
# Regular URL syntax applies, and you can set an alternate port
# through the usual method:
# hkp://keyserver.example.net:22742
#
# Most users just set the name and type of their preferred keyserver.
# Note that most servers (with the notable exception of
# ldap://keyserver.pgp.com) synchronize changes with each other. Note
# also that a single server name may actually point to multiple
# servers via DNS round-robin. hkp://keys.gnupg.net is an example of
# such a "server", which spreads the load over a number of physical
# servers. To see the IP address of the server actually used, you may use
# the "--keyserver-options debug".

keyserver hkp://keys.gnupg.net
#keyserver mailtogp-public-keys@keys.nl.pgp.net
#keyserver ldap://keyserver.pgp.com

# Common options for keyserver functions:
#
# include-disabled : when searching, include keys marked as "disabled"
# on the keyserver (not all keyservers support this).
#
# no-include-revoked : when searching, do not include keys marked as
# "revoked" on the keyserver.
#
# verbose : show more information as the keys are fetched.
# Can be used more than once to increase the amount
# of information shown.
#
# use-temp-files : use temporary files instead of a pipe to talk to the
# keyserver. Some platforms (Win32 for one) always
# have this on.
#
# keep-temp-files : do not delete temporary files after using them
# (really only useful for debugging)
#
# http-proxy="proxy" : set the proxy to use for HTTP and HKP keyservers.
# This overrides the "http_proxy" environment variable,
# if any.
#
# auto-key-retrieve : automatically fetch keys as needed from the keyserver
# when verifying signatures or when importing keys that
# have been revoked by a revocation key that is not
# present on the keyring.
#
# no-include-attributes : do not include attribute IDs (aka "photo IDs")
# when sending keys to the keyserver.

#keyserver-options auto-key-retrieve

# Display photo user IDs in key listings

# list-options show-photos

# Display photo user IDs when a signature from a key with a photo is
# verified

# verify-options show-photos

# Use this program to display photo user IDs
#
# %i is expanded to a temporary file that contains the photo.
# %I is the same as %i, but the file isn't deleted afterwards by GnuPG.
# %k is expanded to the key ID of the key.
# %K is expanded to the long OpenPGP key ID of the key.
# %t is expanded to the extension of the image (e.g. "jpg").
# %T is expanded to the MIME type of the image (e.g. "image/jpeg").
# %f is expanded to the fingerprint of the key.
# %% is %, of course.
#
# If %i or %I are not present, then the photo is supplied to the
# viewer on standard input. If your platform supports it, standard
# input is the best way to do this as it avoids the time and effort in
# generating and then cleaning up a secure temp file.
#
# If no photo-viewer is provided, GnuPG will look for xloadimage, eog,
# or display (ImageMagick). On Mac OS X and Windows, the default is
# to use your regular JPEG image viewer.
#
# Some other viewers:
# photo-viewer "qiv %i"
# photo-viewer "ee %i"
#
# This one saves a copy of the photo ID in your home directory:
# photo-viewer "cat > ~/photoid-for-key-%k.%t"
#
# Use your MIME handler to view photos:
# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG"

# Passphrase agent
#
# We support the old experimental passphrase agent protocol as well as
# the new Assuan based one (currently available in the "newpg" package
# at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent,
# you have to run an agent as daemon and use the option
#
# For Ubuntu we now use-agent by default to support more automatic
# use of GPG and S/MIME encryption by GUI programs. Depending on the
# program, users may still have to manually decide to install gnupg-agent.

use-agent

# which tries to use the agent but will fallback to the regular mode
# if there is a problem connecting to the agent. The normal way to
# locate the agent is by looking at the environment variable
# GPG_AGENT_INFO which should have been set during gpg-agent startup.
# In certain situations the use of this variable is not possible, thus
# the option
#
# --gpg-agent-info=<path>:<pid>:1
#
# may be used to override it.

# Automatic key location
#
# GnuPG can automatically locate and retrieve keys as needed using the
# auto-key-locate option. This happens when encrypting to an email
# address (in the "user@example.com" form), and there are no
# user@example.com keys on the local keyring. This option takes the
# following arguments, in the order they are to be tried:
#
# cert = locate a key using DNS CERT, as specified in RFC-4398.
# GnuPG can handle both the PGP (key) and IPGP (URL + fingerprint)
# CERT methods.
#
# pka = locate a key using DNS PKA.
#
# ldap = locate a key using the PGP Universal method of checking
# "ldap://keys.(thedomain)". For example, encrypting to
# user@example.com will check ldap://keys.example.com.
#
# keyserver = locate a key using whatever keyserver is defined using
# the keyserver option.
#
# You may also list arbitrary keyservers here by URL.
#
# Try CERT, then PKA, then LDAP, then hkp://subkeys.net:
#auto-key-locate cert pka ldap hkp://subkeys.pgp.net
And the agent info file contains only this line:
Quote:
GPG_AGENT_INFO=/tmp/gpg-KBxYOe/S.gpg-agent:2263:1
I know, I've already checked out all of this, but it still doesn't work for some reason.
 
Old 08-09-2013, 01:32 PM   #12
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 805

Rep: Reputation: 158Reputation: 158
It does appear you are running two gpg-agent daemons. You can see two PIDs in your ps output, both with the same parent PID. The first one lists both ssh-agent and gpg-agent. Your GPG_AGENT_INFO is pointing to a directory in /tmp created by the second PID, 2263. Whatever was put there by process number 2262 has been overwritten.

Check all the usual places for starting stuff at login time, like .xsession, .profile, .bashrc, and see if you can find the duplicate start. I believe you'll need to eliminate one or the other of them.


By the way, putting config files or the output from commands in CODE tags makes it a bit more readable than using QUOTE because CODE preserves formatting (e.g., white space).
 
Old 08-10-2013, 08:40 AM   #13
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian, Arch, Xubuntu
Posts: 186

Original Poster
Rep: Reputation: 13
So you think that running the two instances is the problem?
Can I test this by terminating both processes and manually starting just one?

I'll also look for the duplicate.

EDIT: Funny thing is... when I terminate both of those gpg processes, Thunderbirs is still able to decrypt my email w/o asking for password, even if I exit and restart it.

Last edited by displace; 08-10-2013 at 08:48 AM.
 
Old 08-10-2013, 01:05 PM   #14
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 805

Rep: Reputation: 158Reputation: 158
Yes, running multiple instances is potentially problematic. This doc says to avoid it: http://www.gnupg.org/documentation/m...002dAGENT.html

I would suggest killing both agents, then close and reopen Thunderbird and test how Enigmail behaves without gpg-agent running. Set a low idle timeout value in the OpenPGP Preferences and see if it honors it. If so, then start one instance of gpg-agent and check to see if your ttl is honored.
 
Old 08-10-2013, 01:43 PM   #15
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian, Arch, Xubuntu
Posts: 186

Original Poster
Rep: Reputation: 13
I already killed both agents, and thunderbird was still able to decrypt aven after I closed and reopened it. Thunderbird/Enigmail does not seem to honor the local timeout or the "Use gpg-agent for passphrases" checkbox. And for some reason new instances of Thunderbird/Enigmail are still able to decrypt emails even 12 hours after both gpg-agents have been terminated. How the heck are they getting access to the private key? It must be cached somewhere outside gpg-agent.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
gpg / gpg-agent -- Can't connect to /root/.gnupg/S.gpg-agent jrtayloriv Linux - Security 6 07-16-2014 02:26 PM
invoking the GPC-AGENT and to initially firing up the agent to run enigmail sayhello_to_the_world Linux - Newbie 3 05-26-2013 04:17 PM
firefox enigmail has a problem wiht gpg true_atlantis Linux - Software 0 07-19-2006 10:57 AM
Thunderbird/Enigmail shortsword Linux - Software 4 04-15-2006 02:03 AM
GPG errors with enigmail grumblor Linux - Newbie 1 08-26-2005 11:35 AM


All times are GMT -5. The time now is 05:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration