No passphrase required

Henry Hertz Hobbit hhhobbit at securemecca.net
Tue Apr 23 01:54:35 CEST 2013


Both of my Linux systems were recently involved in a test of
about a dozen plus replacments for OpenSuse 11.4 and Ubuntu 10.04.

After all the experimenting was over I ended up with the same
operating systems but swapped with each having the OS that was
on the other machine before the experimentation started.  This
means the last great gasp of using Gnome 2.  I will have to
switch to KDE or something else but not for at least another
year. Gnome 3 is OUT as is Unity on Ubuntu!

Everything went fine and the ~/.gnupg folders are the same
except for the random_seed file. That worked before so why
shouldn't it work now?  Ubuntu 10.04 of course still uses gpg.
and OpenSuse 11.4 uses gpg2.  Then I signed the updated cookie
block list for the Firefox add-on named CookieSafe which I
create on the OpenSuse system.  Nothing was checked on the
options so I assumed I was using the default of a pass-phrase
requested each time I sign a file like it did before.

Less than a week went past until I signed my PAC filter files.
Lo and behold instead of being requested for the pass-phrase
for each of the twelve files they got signed with no questions
asked.  IMHO, this is an inherently dangerous situation.  But
searches were yielding nothing that made sense.  But I tried
every one of them (with a backup to scramble back to) in the
hopes that one of them would give me my pass-phrase request
back. The one that made the least sense was adding a certain
line to the ~/xinitrc file.  With OpenSuse using KMS since
11.3 I I can tell you that you should NOT create a ~/.xinitrc
file.  Because I have another user for damage control and for
the ClamAV's AV. I tried it anyway because at that point I was
getting frantic about a way to have the pinentry ask for my
pass-phrase again. Predictably, when I tried to login I just
got logged back out and was given the login screen.  I
repeated the test two more times with the exact same results
of me not being able to login. So I logged in as clamaV and did:

1. started an xterm
2. su -l root
3  rm -f /home/ME/.xinitrc
4. In the xterm - control-D, control-D
5. Logged out as clamav.
6. logged in as me and put everything back the way it originally
   was.

But I still had the problem of not being asked for my pass-phrase.
At the very same URL as where they said to put the line in the
~/xinitrc file they had this line to do a test:

echo "test" | gpg -ase -r 0xMYKEYID | gpg
(replace MYKEYID with what ever your key is)

I will ignore for the moment that you really have gpg2 on
OpenSuse because gpg is just a symlink to gpg2.  But the real
line should be:

$ echo "test" | gpg2 -ase -r 0xMYKEYID | gpg2

It doesn't matter because both work.  The first may NOT work
if you don't have a symlink of gpg pointing to gpg2. You get a
pinentry window!  So I hastily set it to require a pass-phrase
again.  Like I said, contents of the ~/.gnupg folder on both
systems are identical except for different random_seed files.

Will this work-around work for other versions of Linux that
use gpg2 and a pinentry?  I don't know. Is it a good idea to
have it set for no pass-phrase required to sign a file with
OpenPGP?  I don't think so.  It is NOT a good idea to do it
without at least three warnings before it accepts the change
and it being mandatory that you have to click / alter it to
do it that way in the pinentry. Why did it do a no-phrase
this time around and the first time it didn't do it that way?
Again I don't know but the last time I upgreaded from 11.2 to
11.4. This time I installed 11.4 fresh. That may have made
the difference.

I am giving this in the hopes that if anybody else has a
similar no pass-phrase required problem that it will help
them.

I really don't like the pinentry way becase I still haven't
figured out a work-around for encrypting files from an
xterm with my scripts.  Yes, I set both BASH ways of
keeping the history to no history in the scripts:

http://www.securemecca.com/public/GnuPG/

The pass-phrase is now required for signing.

Au Revoir




More information about the Gnupg-users mailing list