Oh indeed! I didn't catch it at first glance that you were referring to that short moment between creating the file and chmod 0600! I thought I missed something with secure file permissions. :-)
I only could say that I was "blinded by the light" you shed, but I won't Thanks! Stephan Peter Lebbing: > On 25/11/16 14:36, Stephan Beck wrote: >> Would you please describe more in detail where (or in which way, in >> which use case) the window is left open? > > Let me reuse a bit of quote from an earlier mail: > >>>> A2) Export the secret subkey you'd like to use for ssh authentication >>>> purposes and pipe it through openpgp2ssh >>>> gpg2 --export-secret-subkeys \ >>>> --export-options export-reset-subkey-passwd [keyID!] | \ >>>> openpgp2ssh [keyID] > gpg-auth-keyfile > > Here a file is created with most likely mode 0644. It contains an > unencrypted private key, and anyone being quick about it can read the > file until you have time to type.... > >>>> >>>> A3) Set correct permissions >>>> >>>> chmod 0600 gpg-auth-keyfile > > ... and from this moment on it is secure. > > If somebody knew beforehand you were going to do this on a multi-user > system, he could monitor likely directories programmatically and catch > you in the act. Paranoia mode... on! > > HTH, > > Peter. > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
