LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > SUSE / openSUSE
User Name
Password
SUSE / openSUSE This Forum is for the discussion of Suse Linux.

Notices


Reply
  Search this Thread
Old 09-17-2011, 04:10 AM   #1
jtwdyp
Member
 
Registered: Apr 2011
Distribution: antiX, Mageia, OpenSUSE, etc... I multi-boot
Posts: 36

Rep: Reputation: 0
gpg2 caches passphrase in OpenSuSE 11.4


Hello. I'm sort of an old "flatulation" in that I'm kinda set in my ways. Most of which don't happen to be the way everybody else seems to want things. And how I feel about needing to repetitively enter passwords and passphrases is one of them. I've been using gpg for years. Heck I even set a couple of :map key lines in my ~/.vimrc to automatically replace the file contents with a clearsigned version of them. I ONLY ever invoke gpg in terminal windows such as konsole and on virtual consoles such as tty1.

I also have embedded gpg commands in a few bash scripts.

Now it never bothers me when I can verify a signed file is intact without using my passphrase. Nor do I really want to have to enter the passphrase for a shell script to automatically encrypt a file. But when it comes to signing a file, the passphrase is the only way to ensure that I'm actually the one at the keyboard, "signing" the file. And to decrypt anything I thought sensitive, or private enough to bother encrypting in the first place, absolutely. In fact I expect to have to enter the passphrase every single time I invoke gpg to either sign or decrypt a file. Even if I just decrypted or signed something a few seconds ago. (during those few seconds I might have had to go answer the door and possibly forgot to lock my PC...)

So it really bothers me that gpg2, as implemented in OpenSuSE 11.4 is insisting of either storing the passphrase in some cache, Or storing the fact that I previously entered it at some pinentry prompt... That is to say, once I successfully enter the passphrase, I can decrypt another without being prompted for my passphrase again for several minutes.

And I can't figure out how to configure gpg2 to ALWAYS require a NEW authentication each and every time it either signs or decrypts a file. Is this still possible? Cause as it is I'm thinking of uninstalling gpg2 from my OpenSuSE.

Is there some way to force this behavior???

TIA

--
JtWdyP
 
Old 09-17-2011, 11:18 AM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Going out on a limb here, because I haven't used suse in years. And I'm an active gpg1 user. But I did find this in the documentation:
http://www.gnupg.org/documentation/m...n-Options.html
Quote:
--no-use-agent
This is dummy option. gpg2 always requires the agent.
It's gpg-agent that is caching your key. And it appears gpg2 requires gpg-agent to be running. Best I can suggest is to dig around on your system for a way to tweak the gpg-agent settings. Make the cache expire in 1 second or so.
 
Old 09-17-2011, 01:15 PM   #3
jtwdyp
Member
 
Registered: Apr 2011
Distribution: antiX, Mageia, OpenSUSE, etc... I multi-boot
Posts: 36

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by anomie View Post
Going out on a limb here, because I haven't used suse in years. And I'm an active gpg1 user.
So would I be if I knew how to get zypper to put it back...

Quote:
Originally Posted by anomie
But I did find this in the documentation:
http://www.gnupg.org/documentation/m...n-Options.html

It's gpg-agent that is caching your key. And it appears gpg2 requires gpg-agent to be running. Best I can suggest is to dig around on your system for a way to tweak the gpg-agent settings. Make the cache expire in 1 second or so.
That's why I started this thread. I can't find what to tweak where to get gpg2 (and/or gpg-agent) to behave as much like gpg1 as it does on my other up to date Linux installations. {My Desktop multi-boots OpenSuSE, Ubuntu, PCLinuxOS, Arch, & Sabayon.} But it's only on OpenSuSE that I see this behavior, and I can't find a significant difference in the user settings.
I'm not a gpg expert. I barely understand enough of the docs to use the few features I bother with. Most of the documentation might as well be in Greek. And I'm talking about GPG1 When I try to understand what they did with gpg2, well It reminds me of why I haven't embraced grub2 yet {except that I did learn something about grub2 from an on-line discussion I tripped over about how to get it to use LABEL=unique-label instead of UUID=gibberish...}
But getting back to gpg2, I was hoping that sombody here might know how to either disable this caching behaivior, or at least cause the cache involved to expire in less than 10 seconds.
But where ever this setting is, I can't find it. {sigh}
 
Old 09-19-2011, 02:59 AM   #4
jtwdyp
Member
 
Registered: Apr 2011
Distribution: antiX, Mageia, OpenSUSE, etc... I multi-boot
Posts: 36

Original Poster
Rep: Reputation: 0
The caching issue was a tough egg to crack. It seems that the component responsible for that was gpg-agent.

I had suspected as much and had previously extracted the following from
man gpg-agent:

Code:
OPTIONS
       --options file
              Reads configuration from file instead of from the  default  per-
              user  configuration  file.   The  default  configuration file is
              named ‘gpg-agent.conf’ and expected in  the  ‘.gnupg’  directory
              directly below the home directory of the user.
And:

Code:
      --default-cache-ttl n
              Set the time a cache entry is valid to n seconds. The default
              is 600 seconds.
But this didn't seem to work because when I created the file:

~/.gnupg/gpg-agent.conf

with this line in it:

--default-cache-ttl 5

gpg-agent complained about an invalid option...

However I finally tripped over this in a google search:

http://www.gnupg.org/documentation/m...iguration.html

Where there was something that I feel SHOULD have been in the man document:

Quote:
It may contain any valid long option; the leading two dashes may not be entered and the option may not be abbreviated.

Turns out all I need to do was to put THIS line in ~/.gnupg/gpg-agent.conf:

default-cache-ttl 5

instead of:

--default-cache-ttl 5

Any way, the problem, it is solved.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
installed gpg2 on suse10, how to package it and install on other suse box? 2007fld SUSE / openSUSE 1 11-24-2010 06:59 AM
drop_caches doesn't drop all caches 10110111 Linux - Software 1 11-14-2010 11:09 AM
AMD vs Intel (FSB, and Caches) colinstu General 3 08-14-2007 11:52 AM
Purge caches in memory before suspending yozhhh Linux - General 3 12-01-2006 09:34 AM
Update others arp caches rickthemick Linux - Networking 2 12-14-2004 06:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > SUSE / openSUSE

All times are GMT -5. The time now is 10:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration