Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
How to authenticate permissions of a local user?
arth at pacsg
Jun 16, 1999, 9:34 AM
Post #1 of 5 (1513 views)
Permalink
I'm new to this list, so I'm sorry if this turns out to be an issue
which has been frequently discussed on this list.

I was hoping to use GnuPG as an automatic user authentication scheme
between two separate networks.

I was hoping to be able to create an authentication script which, when
run, would take the user's requested command, verify that the user has
permissions to do that operation based on the local network permissions
(for this application, these are simple file permissions), and then sign
the command.

That command would then be sent to the remote network. After verifying
that the signature was valid, and that the command was something it
supported implementing remotely (in this case, application specific),
the remote network would implement the command.

The problem is the passphrase for the local network authentication
script. I'm not sure how to get it to GPG without giving it to the
users (which would defeat the whole purpose of the authentication
script).

My initial intent was that I would have a setuid script which would read
in the passphrase from a file which is only readable by the owner of the
authentication script. It would then fork & exec GPG, redirecting its
stdin & stdout to allow the authentication script to send the passphrase
and the command to be signed. I now see that GPG is taking its I/O from
the tty instead of stdin/stdout, so I can't do that.

There may very well be a security hole here which I have overlooked if I
was able to pull this off (feel free to point it out if so).

Does anyone have any suggestions? Alternate solutions?

Thanks in advance for any help.
Re: How to authenticate permissions of a local user? [ In reply to ]
D.M.Pick at qmw
Jun 16, 1999, 10:09 AM
Post #2 of 5 (1479 views)
Permalink
> <snip>
>
> The problem is the passphrase for the local network authentication
> script. I'm not sure how to get it to GPG without giving it to the
> users (which would defeat the whole purpose of the authentication
> script).
>
> My initial intent was that I would have a setuid script which would read
> in the passphrase from a file which is only readable by the owner of the
> authentication script. It would then fork & exec GPG, redirecting its
> stdin & stdout to allow the authentication script to send the passphrase
> and the command to be signed. I now see that GPG is taking its I/O from
> the tty instead of stdin/stdout, so I can't do that.
>
> There may very well be a security hole here which I have overlooked if I
> was able to pull this off (feel free to point it out if so).
>
> Does anyone have any suggestions? Alternate solutions?
>
> Thanks in advance for any help.

Passphrases are really intended to certify the identity of the user running
the command - and need to be interactive. There *is* an option "--passphrase-fd"
which allows you to specify that the passphrase should be read from that
(numeric) FD, but the documentation *also* says "Don't use this option if
you can avoid it". Since you say you'd put the passphrase in a file only
readably by the SUID script, an alternative would be to use a key *without*
a passphrase stored in a keyring only readable by the SUID script. This is
equivalent in terms of the protection it gives.

--
David Pick
Re: How to authenticate permissions of a local user? [ In reply to ]
mroth at nessie
Jun 16, 1999, 11:23 AM
Post #3 of 5 (1483 views)
Permalink
On Wed, 16 Jun 1999, David Pick wrote:

> the command - and need to be interactive. There *is* an option "--passphrase-fd"
> which allows you to specify that the passphrase should be read from that
> (numeric) FD, but the documentation *also* says "Don't use this option if
> you can avoid it". Since you say you'd put the passphrase in a file only

This is not for technical reasons but suppling a password automatically is
a security risc. That's why their is such an notice in the documentation.


cu
Michael
Re: How to authenticate permissions of a local user? [ In reply to ]
arth at pacsg
Jun 16, 1999, 12:11 PM
Post #4 of 5 (1482 views)
Permalink
> Passphrases are really intended to certify the identity of the user running
> the command - and need to be interactive. There *is* an option "--passphrase-fd"
> which allows you to specify that the passphrase should be read from that
> (numeric) FD, but the documentation *also* says "Don't use this option if
> you can avoid it". Since you say you'd put the passphrase in a file only
> readably by the SUID script, an alternative would be to use a key *without*
> a passphrase stored in a keyring only readable by the SUID script. This is
> equivalent in terms of the protection it gives.

I didn't realize (or forgot) that you could create a key without a
passphrase.

I tried that method (passphrase in a keyring only readable by the setuid
script), and I got:
gpg: Ohhhh jeeee: ... this is a bug (rndunix.c:731:gather_random)

Within rndunix.c, it is intentionally bailing out because of my attempt
to use it in a setuid script:
/* make sure we are not setuid */
if( getuid() != geteuid() )
BUG();

So I'm left with the somewhat more cumbersome --passphrase-fd (which I
haven't yet tried, but hopefully I'll be more successful).

I'm sorry that I completely overlooked this option (--passphrase-fd) and
bugged the list....

Thanks for your help David.
Re: How to authenticate permissions of a local user? [ In reply to ]
wk at isil
Jun 16, 1999, 11:31 PM
Post #5 of 5 (1485 views)
Permalink
Art Hampton <arth@pacsg.css.mot.com> writes:

> Within rndunix.c, it is intentionally bailing out because of my attempt
> to use it in a setuid script:
> /* make sure we are not setuid */
> if( getuid() != geteuid() )
> BUG();

Oh great! Doing such asserts seems to be good thing.


--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal