May 2010 Archives

This story starts with SSH agents. Briefly, they’re programs which load your SSH keys and use them on behalf of SSH in order to authenticate to remote hosts. Very handy. Now you don’t need to type your password all the time.

When there’s no SSH agent running, your keys are usually encrypted, so you have to type a passphrase to tell the agent how to decrypt them. The default behaviour of the standard SSH is to bind a shinyfresh Unix-domain socket somewhere in /tmp and listen on it; it tells the SSH process how to find it using an environment variable. If you log in twice, you get two agents. Both of them need to be told your passphrase. This is annoying. Why do I need both? The answer appears to be that I want both because the agents’ lifetimes are tied to their respective sessions. All of this seems rather daft to me. Why not just have one agent, which listens on a well-known socket and lives on until it dies of natural causes? Now I only need to type my passphrase once each time the machine boots.

(Critics might argue that I’m extending my window of vulnerability to include times when I’m not logged in. True; but (a) I usually spend most of the time logged in, and (b) there’s only a sensible attack if the bad guy can run processes with my uid — and if he can do that, I’m already toast.)

Enter the Gnome keyring manager. It’s a handy looking gadget which remembers secrets. It protects the secrets with a passphrase. By default, it uses your login password — which is somewhat sane, since if a bad guy knows your password, you’re toast anyway. And it gets your login password through PAM — when you log into GDM. It drops its keyring on the floor when you lock the screen, and picks it up again when you type your password again — again, through PAM. Quite clever, really.

So I twiddled my login profile to try to pick up gnome-keyring-daemon and set the environment variable from it. I managed to botch this edit in such a way that I ended up starting new gnome-keyring-daemon processes if I couldn’t contact the one that was already meant to be running. Oh, well.

Now I notice that — every now and then — lots of new gnome-keyring-daemon processes appear out of thin air. SSH logins provoke this, as you’d expect, but I don’t SSH into my laptop very often so this isn’t too bad.

About this Archive

This page is an archive of entries from May 2010 listed from newest to oldest.

April 2010 is the previous archive.

December 2011 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.2.13