Mailing List Archive

You, Chuck Robey, wrote:

> I know very little yet about security, but could someone please tell me
> what security justification there is for making access to the passphrase
> so difficult?

Because on multi-user systems other methods are easier to compromise the
password: for example, if you could enter it on the command line, a simple
ps -ax would reveal it on many unices.

On the other hand, the fd method is also not 100% secure, on some systems
users can access this information.

Examples on how to use this method in perl scripts exist in the pgp 2.6
documentation. I can mail the relevant parts to you if you're interested.
I have also once implemented this in a C++ program that I can also mail
(the programming is very sloppy compared to my current standards, but the
techniques can be easily copied).

--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

On Wed, 19 Jan 2000, Johan Wevers wrote:

> Because on multi-user systems other methods are easier to compromise the
> password: for example, if you could enter it on the command line, a simple
> ps -ax would reveal it on many unices.
>
> On the other hand, the fd method is also not 100% secure, on some systems
> users can access this information.
>
> Examples on how to use this method in perl scripts exist in the pgp 2.6
> documentation. I can mail the relevant parts to you if you're interested.
> I have also once implemented this in a C++ program that I can also mail
> (the programming is very sloppy compared to my current standards, but the
> techniques can be easily copied).

I could do it myself in C++ or perl. Any idea how to do it in tclsh,
short of writing an installable command in C? In this environment, that
wouldn't be totally impossible, but certainly not my first choice. I'm
patching gpg into a running system. I can't find any way to access fd
numbers in tcl.

>
>

----------------------------------------------------------------------------
Chuck Robey | Interests include C & Java programming,
New Year's Resolution: I | electronics, communications, and
will not sphroxify gullible| signal processing.
people into looking up | I run picnic.mat.net: FreeBSD-current(i386) and
fictitious words in the | jaunt.mat.net : FreeBSD-current(Alpha)|
dictionary. |
----------------------------------------------------------------------------

Chuck Robey, at 17:06 on Wed, 19 Jan 2000, wrote:

> I was wondering about the access method used to get the pass phrase into
> gpg. The only method allowed is via fd, which is a major pain when using
> a script language that doesn't allow direct access to fd numbers.

Please don't tell me you are using shell. Use Perl or some other
system-level scripting language. There are modules on CPAN for
interacting with GnuPG.

--
Frank Tobin http://www.neverending.org/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus

OpenPGP: 4F86 3BBB A816 6F0A 340F 6003 56FF D10A 260C 4FA3

On Thu, Jan 20, 2000 at 09:31:16AM -0600, Frank Tobin wrote:
> There are modules on CPAN for interacting with GnuPG.

Thanks for the pointer. But those modules seem to depend on "SysV
compatible shared memory" and I want to use GnuPG on both GNU/Linux
and Windows NT. I've got it working fine on Linux, including being
able to use it via the Emacs crypt++ package. I want to do the same
on WinNT, but I haven't been able to get a wrapper working that can
pass the passphrase to gpg.

To the GnuPG developers:

I understand the security risk of putting the passphrase on the
command line, and I want to do it anyway. It's my system, let _me_
decide how secure I want it. Keep the FD interface for those who want
it, but please provide a command-line passphrase option for oddballs
like me.

If I can't get GnuPG to work on WinNT from Emacs, then I'm just going
to revert to PGP, which did work fine since it does allow passing a
passphrase on the command line

--
Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312
Principal Consultant www.OntoSys.com fax: +1.630.879.1370
OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA

On Thu, 20 Jan 2000, Frank Tobin wrote:

> Chuck Robey, at 17:06 on Wed, 19 Jan 2000, wrote:
>
> > I was wondering about the access method used to get the pass phrase into
> > gpg. The only method allowed is via fd, which is a major pain when using
> > a script language that doesn't allow direct access to fd numbers.
>
> Please don't tell me you are using shell. Use Perl or some other
> system-level scripting language. There are modules on CPAN for
> interacting with GnuPG.

I'm not, and neither do I have choice of which tool to use. I'm using tcl
(because I'm adding gpg to a working system), it doesn't let me have the
fd's, and the only way out of it I have (because gpg gives me no option)
is to call a shell script. That's why I was wondering why the
restriction. If you know a way to pry fd's out of tcl, well, that'd be
appreciated. I'm trying to see if it'd be okay to write an installable
command.

You know, if you don't always assume others are stupid, you might have
figured that out yourself. I did give enough info above.

>
>

----------------------------------------------------------------------------
Chuck Robey | Interests include C & Java programming,
New Year's Resolution: I | electronics, communications, and
will not sphroxify gullible| signal processing.
people into looking up | I run picnic.mat.net: FreeBSD-current(i386) and
fictitious words in the | jaunt.mat.net : FreeBSD-current(Alpha)|
dictionary. |
----------------------------------------------------------------------------

On Thu, 20 Jan 2000, Frank Tobin wrote:

> Please don't tell me you are using shell. Use Perl or some other
> system-level scripting language. There are modules on CPAN for

What's wrong with a shell script and some AWKing - I like it

--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html

On Thu, 20 Jan 2000, Fred Yankowski wrote:

> compatible shared memory" and I want to use GnuPG on both GNU/Linux
> and Windows NT. I've got it working fine on Linux, including being

And there will be a similiar menachism available for thr W32 version;
please note that this version is still considered to be in alpha
state.

> command line, and I want to do it anyway. It's my system, let _me_
> decide how secure I want it. Keep the FD interface for those who want
> it, but please provide a command-line passphrase option for oddballs

No. But you are free to change it yourself.


--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html

On Thu, 20 Jan 2000, Werner Koch wrote:

> On Thu, 20 Jan 2000, Frank Tobin wrote:
>
> > Please don't tell me you are using shell. Use Perl or some other
> > system-level scripting language. There are modules on CPAN for
>
> What's wrong with a shell script and some AWKing - I like it

Using an auxiliary file seemed like a weakening of security. I asked a
friend of mine if this was so, he agreed it wasn't so good, which is why I
wanted to avoid even the one-liner shell script I'm currently calling as a
intermediary to gpg.

Isn't there a way to suppress the argument listing? I know that, under
FreeBSD current, you can't even see the environment unless you're root or
the owning user.

>
>

----------------------------------------------------------------------------
Chuck Robey | Interests include C & Java programming,
New Year's Resolution: I | electronics, communications, and
will not sphroxify gullible| signal processing.
people into looking up | I run picnic.mat.net: FreeBSD-current(i386) and
fictitious words in the | jaunt.mat.net : FreeBSD-current(Alpha)|
dictionary. |
----------------------------------------------------------------------------

If you're writing in Tcl, why not something like this:

if [. catch { exec gpg --batch --passphrase-fd 0 \
--output ${dst} --decrypt ${src} \
<< "${passphrase}\n"} foo ] {
send_user "${foo}\n"
}
> On Thu, 20 Jan 2000, Werner Koch wrote:
>
> > On Thu, 20 Jan 2000, Frank Tobin wrote:
> >
> > > Please don't tell me you are using shell. Use Perl or some other
> > > system-level scripting language. There are modules on CPAN for
> >
> > What's wrong with a shell script and some AWKing - I like it
>
> Using an auxiliary file seemed like a weakening of security. I asked a
> friend of mine if this was so, he agreed it wasn't so good, which is why I
> wanted to avoid even the one-liner shell script I'm currently calling as a
> intermediary to gpg.
>
> Isn't there a way to suppress the argument listing? I know that, under
> FreeBSD current, you can't even see the environment unless you're root or
> the owning user.
>
> >
> >
>
> ----------------------------------------------------------------------------
> Chuck Robey | Interests include C & Java programming,
> New Year's Resolution: I | electronics, communications, and
> will not sphroxify gullible| signal processing.
> people into looking up | I run picnic.mat.net: FreeBSD-current(i386) and
> fictitious words in the | jaunt.mat.net : FreeBSD-current(Alpha)|
> dictionary. |
> ----------------------------------------------------------------------------
>
>

On Thu, 20 Jan 2000, Chip Christian wrote:

> If you're writing in Tcl, why not something like this:
>
> if [. catch { exec gpg --batch --passphrase-fd 0 \
> --output ${dst} --decrypt ${src} \
> << "${passphrase}\n"} foo ] {
> send_user "${foo}\n"
> }


I was going to say, embedding the passphrase inside the tcl script would
be even worse security ... then I noticed you used a variable ...

You mean use the script itself to read the passphrase file, then using the
piece above to do it? Now that's a decent idea ...

----------------------------------------------------------------------------
Chuck Robey | Interests include C & Java programming,
New Year's Resolution: I | electronics, communications, and
will not sphroxify gullible| signal processing.
people into looking up | I run picnic.mat.net: FreeBSD-current(i386) and
fictitious words in the | jaunt.mat.net : FreeBSD-current(Alpha)|
dictionary. |
----------------------------------------------------------------------------

Concerning my suggestion to add a command-line option to provide the
passphrase ...

On Thu, Jan 20, 2000 at 06:54:01PM +0100, Werner Koch wrote:
> No. But you are free to change it yourself.

I certainly could. Or I could write my own PGP-equivalent -- it's
only software after all. But I've got better things to do, so I'm
heading back to PGP, regretting only that I wasted my time with
GnuPG.

--
Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312
Principal Consultant www.OntoSys.com fax: +1.630.879.1370
OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA

Chuck Robey, at 13:36 on Thu, 20 Jan 2000, wrote:

> Isn't there a way to suppress the argument listing? I know that, under
> FreeBSD current, you can't even see the environment unless you're root or
> the owning user.

In FreeBSD-STABLE, the only reason you are able to see the arguments of
other people's processes is because programs such as 'ps' and 'top' are
setgid "kmem"; without kernel-memory access via the group kmem, you can
only read the arguments of your vectors.

--
Frank Tobin http://www.neverending.org/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus

OpenPGP: 4F86 3BBB A816 6F0A 340F 6003 56FF D10A 260C 4FA3

Werner Koch, at 18:51 on Thu, 20 Jan 2000, wrote:

> > Please don't tell me you are using shell. Use Perl or some other
> > system-level scripting language. There are modules on CPAN for
>
> What's wrong with a shell script and some AWKing - I like it

The problem is that Perl has features in it designed for security (e.g.,
Taint mode). You can be much more careful about processing information
when in Perl then you can with awk and friends.

--
Frank Tobin http://www.neverending.org/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus

OpenPGP: 4F86 3BBB A816 6F0A 340F 6003 56FF D10A 260C 4FA3

Werner Koch, at 18:54 on Thu, 20 Jan 2000, wrote:

> > command line, and I want to do it anyway. It's my system, let _me_
> > decide how secure I want it. Keep the FD interface for those who want
> > it, but please provide a command-line passphrase option for oddballs
>
> No. But you are free to change it yourself.

Personally, I'd like to hear an argument from Werner about this. True, on
some systems such as Linux, one does not require special privileges to
read other's arguments, but on other systems, such as FBSD, it requires
kmem access. If the setgid flags are removed from certain files, one
cannot see other's arguments, hence nullifying the problem with seeing
other's arguments.

--
Frank Tobin http://www.neverending.org/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus

OpenPGP: 4F86 3BBB A816 6F0A 340F 6003 56FF D10A 260C 4FA3

Fred Yankowski, at 10:23 on Thu, 20 Jan 2000, wrote:

> Thanks for the pointer. But those modules seem to depend on "SysV
> compatible shared memory" and I want to use GnuPG on both GNU/Linux
> and Windows NT. I've got it working fine on Linux, including being
> able to use it via the Emacs crypt++ package. I want to do the same
> on WinNT, but I haven't been able to get a wrapper working that can
> pass the passphrase to gpg.

Ummm, my module doesn't (PGP::GPG::MessageProcessor) :) I solely use
pipes to interact with GnuPG. I take it you were looking at GnuPG.pm
(which I don't even seen on CPAN).

--
Frank Tobin http://www.neverending.org/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus

OpenPGP: 4F86 3BBB A816 6F0A 340F 6003 56FF D10A 260C 4FA3

You, Chuck Robey, wrote:

> I could do it myself in C++ or perl. Any idea how to do it in tclsh,

Sorry, I don't even know what tclsh is. If it is something similar as Tcl, I
don't know how to program in that language.

--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

On Thu, 20 Jan 2000, Frank Tobin wrote:

> Chuck Robey, at 13:36 on Thu, 20 Jan 2000, wrote:
>
> > Isn't there a way to suppress the argument listing? I know that, under
> > FreeBSD current, you can't even see the environment unless you're root or
> > the owning user.
>
> In FreeBSD-STABLE, the only reason you are able to see the arguments of
> other people's processes is because programs such as 'ps' and 'top' are
> setgid "kmem"; without kernel-memory access via the group kmem, you can
> only read the arguments of your vectors.

Yeah, that was changed in current. There was serious discussion about
removing all access to the environment and args from ps, but it was
considered too important to sys admins to take it all out, so it was
limited to root and the owning user. ps isn't setgid kmem anymore.

>
>

----------------------------------------------------------------------------
Chuck Robey | Interests include C & Java programming,
New Year's Resolution: I | electronics, communications, and
will not sphroxify gullible| signal processing.
people into looking up | I run picnic.mat.net: FreeBSD-current(i386) and
fictitious words in the | jaunt.mat.net : FreeBSD-current(Alpha)|
dictionary. |
----------------------------------------------------------------------------

On Thu, 20 Jan 2000, Chuck Robey wrote:

> On Thu, 20 Jan 2000, Frank Tobin wrote:
>
> > Chuck Robey, at 13:36 on Thu, 20 Jan 2000, wrote:
> >
> > > Isn't there a way to suppress the argument listing? I know that, under
> > > FreeBSD current, you can't even see the environment unless you're root or
> > > the owning user.
> >
> > In FreeBSD-STABLE, the only reason you are able to see the arguments of
> > other people's processes is because programs such as 'ps' and 'top' are
> > setgid "kmem"; without kernel-memory access via the group kmem, you can
> > only read the arguments of your vectors.
>
> Yeah, that was changed in current. There was serious discussion about
> removing all access to the environment and args from ps, but it was
> considered too important to sys admins to take it all out, so it was
> limited to root and the owning user. ps isn't setgid kmem anymore.

Let me edit myself, because that last statement is wrong. Ps used to get
it's stuff from /proc, that's changed. It IS setgid, but does only show
the environment if you're the process owner or root (in -current).

----------------------------------------------------------------------------
Chuck Robey | Interests include C & Java programming,
New Year's Resolution: I | electronics, communications, and
will not sphroxify gullible| signal processing.
people into looking up | I run picnic.mat.net: FreeBSD-current(i386) and
fictitious words in the | jaunt.mat.net : FreeBSD-current(Alpha)|
dictionary. |
----------------------------------------------------------------------------

On Thu, 20 Jan 2000, Johan Wevers wrote:

Hi,

> > I could do it myself in C++ or perl. Any idea how to do it in tclsh,
>
> Sorry, I don't even know what tclsh is. If it is something similar as Tcl, I
> don't know how to program in that language.

tclsh is a simple shell containing the Tcl interpreter.

Regards,
Thomas
--
Thomas Bader <thomasb@trash.net>, Powered by LINUX 2.2
Infos und Tipps zu Linux, HOWTOs des DLHP <http://www.t-bader.ch/>
=> ICQ: 46323601

On Fri, 21 Jan 2000, Thomas Bader wrote:

> On Thu, 20 Jan 2000, Johan Wevers wrote:
>
> Hi,
>
> > > I could do it myself in C++ or perl. Any idea how to do it in tclsh,
> >
> > Sorry, I don't even know what tclsh is. If it is something similar as Tcl, I
> > don't know how to program in that language.
>
> tclsh is a simple shell containing the Tcl interpreter.

I ought to chime in here that Chip Christian posted a nice suggestion
which I turned into working fix; I was able to eliminate my external shell
script assist.

>
> Regards,
> Thomas
>

----------------------------------------------------------------------------
Chuck Robey | Interests include C & Java programming, FreeBSD,
chuckr@picnic.mat.net | electronics, communications, and signal processing.

New Year's Resolution: I will not sphroxify gullible people into looking up
fictitious words in the dictionary.
----------------------------------------------------------------------------

Fred Yankowski <fred@ontosys.com> writes:

> I certainly could. Or I could write my own PGP-equivalent -- it's
> only software after all. But I've got better things to do, so I'm
> heading back to PGP, regretting only that I wasted my time with
> GnuPG.

pity, a hack opportunity declined.

thi