Hi Ryan--
On Fri 2017-06-30 11:54:46 +0800, Ryan Lue wrote:
> But for some reason, it just doesn't work with `pinentry-curses`: SSH
> (GPG) key authentication fails silently, and the server falls back to
> password authentication. (I have made sure to set `$GPG_TTY`, so
> `pinentry-curses` works j
On 2017/06/30 20:27, Stefan Claas wrote:
> The idea with this scenario is that it can be carried out by people
> with no skills in hacking or compromising a computer, in small shops,
> companies for example, when one of the co-workers leaves his/her
> work place for a minute, or two etc.
Anybody w
On Fri, 30 Jun 2017 21:02:38 +0200, Peter Lebbing wrote:
> PS: As a final note, what prevents your attacker from grabbing your
> passphrase when you enter it? They control your computer! If you
> could use your passphrase to verify it was really you, they would
> immediately also have that passphr
On 30/06/17 20:54, Stefan Claas wrote:
> Good point! And what would be your proposal against this kind of
> attack?
On 30/06/17 18:38, Peter Lebbing wrote:
> There is *no* *way* to mitigate an attacker having your user privileges.
> :-) For me it is a) bad software design, with the same colors
>
On Fri, 30 Jun 2017 20:35:48 +0200, Peter Lebbing wrote:
> On 30/06/17 20:01, Stefan Claas wrote:
> > Correct. But what i mean was an attacker would replace on of my pub
> > keys (which i signed) with one he/she only replaced with one that
> > has only the Trust Level set to Ultimate, resulting in
On 30/06/17 20:01, Stefan Claas wrote:
> Correct. But what i mean was an attacker would replace on of my pub
> keys (which i signed) with one he/she only replaced with one that
> has only the Trust Level set to Ultimate, resulting in both keys
> showing up with a green bar.
And to mitigate this si
On Fri, 30 Jun 2017 18:38:45 +0200, Peter Lebbing wrote:
> Somebody could put their own public key in your keyring, assign that
> Ultimate trust, and then certify another public key they wish to pop
> up as valid. Ultimately trusted keys make other keys valid by their
> certification. There is no
On Fri, 30 Jun 2017 at 18:29:41 +0200, Peter Lebbing wrote:
> It would be really good if the SSH agent protocol would be extended to
> communicate on which tty a request comes in. Without updates to the SSH
> protocol, there is simply no way to know where it comes from.
I also hope some day this w
On 25/06/17 21:42, Stefan Claas wrote:
> I asked this already in this thread, do you know what TOFU does
> when a man in the middle would replace (theoretically) one of
> my pub keys, modify the TOFU database , set's the Trust Level
> to Ultimate and then sends a message to me.
That's not what a M
On 30/06/17 05:54, Ryan Lue wrote:
> Does it have something to do with the `$GPG_TTY` environment variable
> not being set on the SSH server?
Almost; it has to do with the GPG_TTY variable not being communicated to
the agent. The agent does not know on which tty the request for a
pinentry is made
Hello,
I have struggled with getting GPG keys to work for SSH authentication
for the better part of two days. I'm almost completely there, and would
like to ask gnupg-users' help in understanding this one last quirk.
To be brief, I have gpg-agent set up with ssh support enabled. I'm using an
aut
11 matches
Mail list logo
