On Thu, Jan 28, 2016 at 11:43 AM, Christopher
<ctubbsii-fedora(a)apache.org> wrote:
To be honest, I thought there'd be more interest in this topic by
now,
considering Gnome Keyring stores so many things now in the Logon keyring by
default:
Bugzilla credentials for ABRT,
Chrome sync'd passwords,
Firefox site passwords,
GPG private keys,
gpg-agent passphrases,
SSH private key passphrases,
etc.
And these can be accessed without any user notification or interaction by
any process run by the user by making simple Gnome library calls, unless the
user explicitly locks it between uses as a manual process, and even then it
won't keep out a persistent script which grabs what it wants during an open
window when the keyring is unlocked (it doesn't appear there's an atomic
"unlock for this key only, then relock" option).
I don't trust any of the web browser implementations right now.
The private keys need to be locked (e.g. ssh-add -D) upon either a
suspend/hibernate, or the screen lock timer being reached.
Maybe I'm missing something, but at the moment if I ssh@server, type
the key passphrase, logout of the server, forget to ssh-add -D, put
the laptop to sleep with sudo systemctl suspend, anyone can come up to
my laptop hit a key and they get to the desktop, can ssh into the
server, all without a password. No lock screen after wake from
suspend. And no timeout or expiration for the ssh key.
I can't be the only one interested in finding out how to secure
these things
in Fedora.
It's probably just that lately it seems anything security related is
like that sick eye doctor's refrigerator full of amazing food in
Minority Report.
--
Chris Murphy