LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   gpg2 doesn't ask for passphrase (https://www.linuxquestions.org/questions/slackware-14/gpg2-doesnt-ask-for-passphrase-4175641069/)

montagdude 10-24-2018 06:11 PM
gpg2 doesn't ask for passphrase
 
I use password-store (aka pass) as a password manager. Older versions used to ask for a password when viewing or editing any passwords, but the current version does not. I noticed that this version is using gpg2, and that seems to be the reason. For example, if I do:

Code:
gpg -d ~/.password-store/Internet/slackdocs.gpg
I am prompted for my passphrase. However, if I switch the call to gpg2, I get this:

Code:
gpg2 -d ~/.password-store/Internet/slackdocs.gpg

You need a passphrase to unlock the secret key for
user: "(name and email redacted)"
2048-bit RSA key, ID 276F9293, created 2016-06-11 (main key ID 18CE63C4)
Despite this, it then goes on to decrypt the file without me actually entering the passphrase. I did some research on this, and everything seems to suggest that this can happen due to gpg-agent caching the passphrase, but I don't think that's the case, as none of the posted solutions seem to work. For example, this thread on StackExchange suggests to use the --no-use-agent option on older versions of gpg, or

Code:
default-cache-ttl 1
max-cache-ttl 1
in ~/.gnupg/gpg-agent.conf in gpg 2.1+. I am running Slackware64-14.2 (gpg 2.0.13), and with --no-use-agent, I get a warning that the option is obsolete and has no effect. With the changes above in gpg-agent.conf, I get an error that those options are unrecognized. Perhaps I just need to upgrade to a newer version of gpg2 to get this to work? Any advice would be appreciated. I would prefer to be asked for the passphrase every time.

Edit: I also forgot to mention, even right after rebooting, it decrypts the file without asking for the passphrase, so I don't think it is due to gpg-agent caching it.

montagdude 10-24-2018 06:44 PM
I just upgraded gpg2 by building the version from -current (I also had to upgrade libgpg-error, libassuan, and libksba, and install npth). It now brings up the password prompt as expected when decrypting a file. Before I mark this as solved, could anyone confirm the behavior that I am seeing with the default version of gpg2 on Slackware 14.2? It seems like a bug to me.

montagdude 10-24-2018 06:50 PM
By the way, for testing purposes, this command should reload gpg-agent to clear the passphrase from cached memory:

Code:
gpgconf --reload gpg-agent
With the default gpg-2.0.31 on Slackware 14.2, I am not prompted for a passphrase even after running this command. gpg-2.2.10 does prompt for a passphrase.

montagdude 10-26-2018 10:49 PM
Can anyone else confirm this behavior with gpg2 2.0.13? It seems like a significant security issue.

Ian M 10-27-2018 08:16 AM
I don't know if this helps but I don't get the same behavior. Running pass or gpg2 directly like in your example the passphrase is cached for 10 minutes or until I log out if that's sooner.
The timeout appears to reset every time gpg2 is run though, so after entering the passphrase if you repeatedly run gpg2 at intervals of less than 10 minutes it doesn't seem to clear the cache and doesn't ask for the passphrase.

Code:
gpgconf --reload gpg-agent
Works as expected.

montagdude 10-27-2018 10:21 AM
Alright, thanks for the feedback. I guess it's just something about my system, but at least upgrading gpg2 works for me. I will mark this as solved.

montagdude 10-29-2018 09:28 PM
Well, I did a complete reinstall of Slackware64-14.2, and I'm still having this problem with gpg 2.0.31. I'll upgrade to the newer version again, but it's still strange and worrisome.

montagdude 11-06-2019 12:04 AM
For the sake of anyone who may find this thread while searching, I have some new information to share. When I upgraded from 14.2 to -current, this issue came back, which was surprising since -current has the latest gpg2. (gpg still asks for the password as expected, but gpg2 never does.) I ended up generating a new gpg key, which fixed the problem: with the new key, I am always prompted for the passphrase except for during the expected gpg-agent caching interval. I have now re-encrypted all my files with the new key, and hopefully that will solve it for good. I have no idea what it was about the old key that made gpg2 not ask for the password, but if you are experiencing this issue, try generating a new key. All I can think of is that there is some other password/key manager running that has stored the key, but all the ones I know of on my system did not have it stored.

slackerz 09-07-2020 01:00 PM
Not really solved. Skirted around the problem.

chris.willing 09-07-2020 03:01 PM
Quote:
Originally Posted by montagdude (Post 5919604)
Can anyone else confirm this behavior with gpg2 2.0.13? It seems like a significant security issue.
Yes I see it too (14.2 with gpg2 2.0.31). I hadn't updated my personal repo of SBo packages while their hardware was relocated but when I started catching up last night I noticed I wasn't being asked for a password anymore when my script adds a completed package to the repo.

chris


All times are GMT -5. The time now is 02:04 AM.