gpg-agent/pinentry: How to verify calling application

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

gpg-agent/pinentry: How to verify calling application

Hartmut Knaack
Hi,
on my machine running Linux and a recent KDE/Plasma, pinentry-qt
occasionally starts right after logging in and asks for my passphrase.
Is there any way to track down, which process asks gpg-agent for my private
key? Preferably, I would like pinentry to inform, which process actually is
the source of the key request.
Thanks

Hartmut

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

0xFAC89148.asc (3K) Download Attachment
signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent/pinentry: How to verify calling application

Daniel Kahn Gillmor-7
On Sat 2017-07-15 16:02:22 +0200, Hartmut Knaack wrote:
> on my machine running Linux and a recent KDE/Plasma, pinentry-qt
> occasionally starts right after logging in and asks for my passphrase.
> Is there any way to track down, which process asks gpg-agent for my private
> key? Preferably, I would like pinentry to inform, which process actually is
> the source of the key request.

pinentry itself doesn't know the source of the request, but gpg-agent
could use getsockopt(SO_PEERCRED) to get at least the requesting
process's pid, uid, and gid.

the pid is kind-of usable (with some possibility of a race) to learn
something about which process made the request, which gpg-agent could
pass on to the pinentry.

I don't think there's currently any plan to do anything like this, but
if you want it to happen, i recommend documenting the idea in a ticket
on https://dev.gnupg.org/ so that there's somewhere to keep track of it
and potentially collect proposed patches.

Regards,

   --dkg

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent/pinentry: How to verify calling application

Shawn K. Quinn
In reply to this post by Hartmut Knaack
On 07/15/2017 09:02 AM, Hartmut Knaack wrote:
> Hi,
> on my machine running Linux and a recent KDE/Plasma, pinentry-qt
> occasionally starts right after logging in and asks for my passphrase.
> Is there any way to track down, which process asks gpg-agent for my private
> key? Preferably, I would like pinentry to inform, which process actually is
> the source of the key request.
> Thanks

This is a bit of a "duct tape"  but you could try:

# chmod 000 `which pinentry-qt`

then reboot and see what program throws an error (besides GnuPG).

Don't forget to change it back when done testing.

--
Shawn K. Quinn <[hidden email]>
http://www.rantroulette.com
http://www.skqrecordquest.com


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent/pinentry: How to verify calling application

Werner Koch
In reply to this post by Daniel Kahn Gillmor-7
On Sun, 16 Jul 2017 09:30, [hidden email] said:

> I don't think there's currently any plan to do anything like this, but

Actually this is implemented since GnuPG 2.1.19 (Debian has 2.1.18,
though) when used withwith a pinentry from Git after 2017-02-03.  There
you will see in the titlebar something like

  [PID]@HOSTNAME (gpg --clearsign)


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent/pinentry: How to verify calling application

Hartmut Knaack
Werner Koch schrieb am 16.07.2017 um 21:17:

> On Sun, 16 Jul 2017 09:30, [hidden email] said:
>
>> I don't think there's currently any plan to do anything like this, but
>
> Actually this is implemented since GnuPG 2.1.19 (Debian has 2.1.18,
> though) when used withwith a pinentry from Git after 2017-02-03.  There
> you will see in the titlebar something like
>
>   [PID]@HOSTNAME (gpg --clearsign)
>
This is much better. Somehow of a problem is just, that the pinentry window
is not resizable, so the window title gets cut off. I would say, all this
information should better be put inside the window itself.
It would also be nice, if you could release a new version, so distributors
can pick up and build it.
Thanks

Hartmut

>
> Salam-Shalom,
>
>    Werner
>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

0xFAC89148.asc (3K) Download Attachment
signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent/pinentry: How to verify calling application

Hartmut Knaack
In reply to this post by Shawn K. Quinn
Shawn K. Quinn schrieb am 16.07.2017 um 09:48:

> On 07/15/2017 09:02 AM, Hartmut Knaack wrote:
>> Hi,
>> on my machine running Linux and a recent KDE/Plasma, pinentry-qt
>> occasionally starts right after logging in and asks for my passphrase.
>> Is there any way to track down, which process asks gpg-agent for my private
>> key? Preferably, I would like pinentry to inform, which process actually is
>> the source of the key request.
>> Thanks
>
> This is a bit of a "duct tape"  but you could try:
>
> # chmod 000 `which pinentry-qt`
>
> then reboot and see what program throws an error (besides GnuPG).
>
> Don't forget to change it back when done testing.
>
Thanks for the hint. Unfortunately, it happens just very occasionally,
and I haven't figured out yet, what the reason may be. I have been logging
on at least ten times, and even fully rebooted five times today, without
getting such a request.
I have now installed the git version of pinentry and will just wait for
this issue to happen next.
Thanks,

Hartmut

>
>
> _______________________________________________
> Gnupg-users mailing list
> [hidden email]
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

0xFAC89148.asc (3K) Download Attachment
signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent/pinentry: How to verify calling application

Werner Koch
In reply to this post by Hartmut Knaack
On Mon, 17 Jul 2017 00:38, [hidden email] said:

> This is much better. Somehow of a problem is just, that the pinentry window
> is not resizable, so the window title gets cut off. I would say, all this
> information should better be put inside the window itself.

Too much info for most users.  Adding a tooltip would be possible, though.

> It would also be nice, if you could release a new version, so distributors
> can pick up and build it.

Yes, that should be done.  (https://dev.gnupg.org/T3279)


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent/pinentry: How to verify calling application

Hartmut Knaack
In reply to this post by Werner Koch
Werner Koch schrieb am 16.07.2017 um 21:17:

> On Sun, 16 Jul 2017 09:30, [hidden email] said:
>
>> I don't think there's currently any plan to do anything like this, but
>
> Actually this is implemented since GnuPG 2.1.19 (Debian has 2.1.18,
> though) when used withwith a pinentry from Git after 2017-02-03.  There
> you will see in the titlebar something like
>
>   [PID]@HOSTNAME (gpg --clearsign)
>
I hope not to get too far off topic, but I encountered that suspicious
request of pinentry right after loggin into KDE, again. So, with the PID it
provided, I checked with ps aux:

me        2486  0.0  0.0  34028  3940 ?        SL   21:46   0:00 gpg2 --enable-special-filenames --batch --no-sk-comments --status-fd 11 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --display :0 --ttyname kein Terminal --ttytype xterm --decrypt --output - -- -&14

And pstree outputs:

systemd---systemd---gpg2

When hitting cancel on that pinentry window, I get another window, stating
that kwallet wants to get access to my private key.
Any idea why this is happening or how I should proceed analysing? The only
legit process I would see should be my e-mail client.
Thanks,

Hartmut


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

0xFAC89148.asc (3K) Download Attachment
signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent/pinentry: How to verify calling application

Peter Lebbing
On 19/07/17 00:10, Hartmut Knaack wrote:
>[...], I checked with ps aux:
>
> me        2486  0.0  0.0  34028  3940 ?        SL   21:46   0:00 gpg2 --enable-special-filenames --batch --no-sk-comments --status-fd 11 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --display :0 --ttyname kein Terminal --ttytype xterm --decrypt --output - -- -&14
>
> And pstree outputs:
>
> systemd---systemd---gpg2

Hah, that's not helpful, thanks, systemd! All we've learned is that
whatever is invoking gpg2 is using systemd for that, I suppose. Well,
*that* narrows it down! Perhaps you can find something with journalctl,
which allows you to read systemd logs, I dunno. I'm still pretty new to
the systemd world. I do intend to learn.

I never use pstree, I use ps's "f" (forest) option. Does that show the
same thing? If you just add the "f" to your options, it would be ps
faux, sounds French fake but will work :-). Is there anything
informative in the full command line of those systemd processes?

> When hitting cancel on that pinentry window, I get another window, stating
> that kwallet wants to get access to my private key.

That is a lot more informative. I believe kwallet is the credential
manager for KDE, keeping passwords and stuff.

I've got two guesses:

1) At some point you permitted kwallet to encrypt all your credentials
using your OpenPGP key. It is simply trying to decrypt your "wallet" so
it can be accessed.

2) It wants to add your private key to its credentials and manage it for
you from now on.

1) is pretty benign and actually cool, 2) might not be to your liking at
all. Personally, my neck hair rises remembering the way gnome-keyring
"interacted" with GnuPG back in the day. This is water under the bridge
now, gnome-keyring is a fine citizen again these days, and I thank them
for that.

However, I don't know kwallet other than its basic function. I hope my
contribution helps you along, small as it is.

HTH,

Peter.

PS: I just had a similar thing the other day where an ssh-agent was
launched against my will, but it had no parents at all in the process
tree! Cost me a long time of fruitless bug hunting until I thought of
replacing /usr/bin/ssh-agent with a shell script that logged "ps fx"
output at the moment it was invoked, when it still had a parent. Then
everything went quickly from there on.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent/pinentry: How to verify calling application

Werner Koch
In reply to this post by Hartmut Knaack
On Wed, 19 Jul 2017 00:10, [hidden email] said:

> me        2486  0.0  0.0  34028  3940 ?        SL   21:46   0:00 gpg2 --enable-special-filenames --batch --no-sk-comments --status-fd 11 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --display :0 --ttyname kein Terminal --ttytype xterm --decrypt --output - -- -&14

FWIW: That looks like an gpg invovation via GPGME.


Salam-Shalom,

   Werner


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Loading...