On Thu, Jan 28, 2016 at 11:43 AM, Christopher <ctubbsii-fedora@xxxxxxxxxx> wrote: > To be honest, I thought there'd be more interest in this topic by now, > considering Gnome Keyring stores so many things now in the Logon keyring by > default: > Bugzilla credentials for ABRT, > Chrome sync'd passwords, > Firefox site passwords, > GPG private keys, > gpg-agent passphrases, > SSH private key passphrases, > etc. > And these can be accessed without any user notification or interaction by > any process run by the user by making simple Gnome library calls, unless the > user explicitly locks it between uses as a manual process, and even then it > won't keep out a persistent script which grabs what it wants during an open > window when the keyring is unlocked (it doesn't appear there's an atomic > "unlock for this key only, then relock" option). I don't trust any of the web browser implementations right now. The private keys need to be locked (e.g. ssh-add -D) upon either a suspend/hibernate, or the screen lock timer being reached. Maybe I'm missing something, but at the moment if I ssh@server, type the key passphrase, logout of the server, forget to ssh-add -D, put the laptop to sleep with sudo systemctl suspend, anyone can come up to my laptop hit a key and they get to the desktop, can ssh into the server, all without a password. No lock screen after wake from suspend. And no timeout or expiration for the ssh key. > I can't be the only one interested in finding out how to secure these things > in Fedora. It's probably just that lately it seems anything security related is like that sick eye doctor's refrigerator full of amazing food in Minority Report. -- Chris Murphy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
