Re: [gentoo-user] What do you think about pam-gnupg?

[Grant Taylor]

On 3/1/23 7:10 AM, efeizbudak wrote:

Hi all,


Hi,

I let mutt-wizard set a cron job which takes my password out 
of pass, logs into the email server and fetches my mail every 
5 minutes.


Can you re-architect this as a (pseudo) daemon so that you unlock it 
once (or at least a LOT less often) and it stores the necessary 
information in memory for subsequent re-use?


With this I have to unlock my key as frequently as the amount in 
gpg-agent.conf's default-cache-ttl setting.


:-/

pam-gnupg has been suggested as a remedy to this problem but the 
disclaimer on its page about dangerous bugs make me hesitant to use 
it. What do you think about the security of it? It's only 500 SLOC 
but I don't trust myself with reviewing the security of it.


I don't relish the idea of giving something the keys to the kingdom.

Could you re-configure things so that (a copy of) the requisite password 
is accessible via a different set of GPG credentials specific to the 
process that you're running?  Then you could probably have just that set 
of GPG credentials unprotected so that the script could use them as it 
is today.


If neither of these options were possible I'd look into something like a 
TPM and / or Yubikey wherein I could offload some of the GPG to it so 
that the decryption key is physically tied to the source computer /and/ 
*where* *it* *can't* *be* *copied*.


I might also look into other authentication methods, e.g. TLS client 
certificate, so that the script can do what it needs to without needing 
to bother with GPG.




--
Grant. . . .
unix || die

Re: [gentoo-user] What do you think about pam-gnupg?

[Matt Connell]

On Wed, 2023-03-01 at 09:10 -0500, efeizbudak wrote:
> I let mutt-wizard set a cron job which takes my password out of pass,
> logs into the email server and fetches my mail every 5 minutes. With
> this I have to unlock my key as frequently as the amount in
> gpg-agent.conf's default-cache-ttl setting.

I don't have any thoughts on the pam module, but I make use of some
scripts that rely on pass as well.  For my use case I just raised the
TTL setting of gpg-agent to match an eight hour work day or eight hour
evening period and ran with it.  Feels fairly natural to "log in" to
the agent once a day at the first use.

Disclaimer: I work from home and lock my computers when I'm away from
them.

[gentoo-user] What do you think about pam-gnupg?

[efeizbudak]

Hi all,

I let mutt-wizard set a cron job which takes my password out of pass,
logs into the email server and fetches my mail every 5 minutes. With
this I have to unlock my key as frequently as the amount in
gpg-agent.conf's default-cache-ttl setting. pam-gnupg has been suggested
as a remedy to this problem but the disclaimer on its page about
dangerous bugs make me hesitant to use it. What do you think about the
security of it? It's only 500 SLOC but I don't trust myself with
reviewing the security of it.

-- 
All the best,
Efe

The funny quote of this email is trivial and left as an exercise.


signature.asc
Description: PGP signature