Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

How do I flush a bad symmetric password from gpg-agent?

 

 

GnuPG users RSS feed   Index | Next | Previous | View Threaded


dougb at dougbarton

Aug 18, 2009, 11:28 AM

Post #1 of 5 (3531 views)
Permalink
How do I flush a bad symmetric password from gpg-agent?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

I run gpg-agent with the ssh option in my .xsession file so that all
the child processes inherit the environment. This is needed mostly for
the ssh portion of course, since I could update the gpg part of the
agent stuff in .bashrc if I wanted to (although I do not do that now).
This has been working well for me for a long time.

Today I mis-typed a passphrase for a symmetrically encrypted file and
was surprised to discover that gpg-agent had stored the bad passphrase
and would not let me access the file. I have occasionally in the past
mistyped my passphrase for one of my secret keys or an ssh key and
gpg-agent just reprompts for a valid one.

Looking through the man page I don't see any way to flush the bad
password from the agent. Killing and restarting works of course, but
then I'm in bad shape on the ssh side. I could restart my window
manager session, but that sounds like a microsoft solution, not to
mention having to restart apps, etc.

So is this a bug in the agent? Is there a way to flush passwords that
I'm missing? Another solution?


Thanks,

Doug
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEYEAREDAAYFAkqK8soACgkQyIakK9Wy8PvaZQCcC6XkNNOv//yWrBHuPDrpm2MO
bIUAnjmbFAV4qyOEdmQW8eA+mlbfaLKD
=uN7K
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


wk at gnupg

Aug 19, 2009, 12:20 AM

Post #2 of 5 (3453 views)
Permalink
Re: How do I flush a bad symmetric password from gpg-agent? [In reply to]

On Tue, 18 Aug 2009 20:28, dougb [at] dougbarton said:

> Today I mis-typed a passphrase for a symmetrically encrypted file and
> was surprised to discover that gpg-agent had stored the bad passphrase
> and would not let me access the file. I have occasionally in the past

This is a new and probably not too well tested feature. I'll check whey
this is going wrong.

> Looking through the man page I don't see any way to flush the bad
> password from the agent. Killing and restarting works of course, but

That is pretty easy: Give the gpg-agent a HUP ("pkill -HUP gpg-agent")
or better use "gpgconf --reload gpg-agent" which basically does the
same.


SIGHUP

This signal flushes all cached passphrases and if the program has
been started with a configuration file, the configuration file is
read again. Only certain options are honored: quiet, verbose,
debug, debug-all, debug-level, no-grab, pinentry-program,
default-cache-ttl, max-cache-ttl, ignore-cache-for-signing,
allow-mark-trusted and disable-scdaemon. scdaemon-program is also
supported but due to the current implementation, which calls the
scdaemon only once, it is not of much use unless you manually kill
the scdaemon.



Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


dougb at dougbarton

Aug 19, 2009, 12:32 PM

Post #3 of 5 (3440 views)
Permalink
Re: How do I flush a bad symmetric password from gpg-agent? [In reply to]

Werner Koch wrote:
> On Tue, 18 Aug 2009 20:28, dougb [at] dougbarton said:
>
>> Today I mis-typed a passphrase for a symmetrically encrypted file and
>> was surprised to discover that gpg-agent had stored the bad passphrase
>> and would not let me access the file. I have occasionally in the past
>
> This is a new and probably not too well tested feature. I'll check whey
> this is going wrong.

Fair enough, thanks.

>> Looking through the man page I don't see any way to flush the bad
>> password from the agent. Killing and restarting works of course, but
>
> That is pretty easy: Give the gpg-agent a HUP ("pkill -HUP gpg-agent")
> or better use "gpgconf --reload gpg-agent" which basically does the
> same.
>
>
> SIGHUP
>
> This signal flushes all cached passphrases

Ok, now I'm really embarrassed. I thought sure I had read the whole
gpg-agent man page AND searched for the word "flush" but obviously I
was wrong on both counts. :-/


Thanks again,

Doug

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


ueno at unixuser

Aug 19, 2009, 6:15 PM

Post #4 of 5 (3449 views)
Permalink
Re: How do I flush a bad symmetric password from gpg-agent? [In reply to]

>>>>> In <4A8C5344.4060701__17863.5451746688$1250713354$gmane$org [at] dougbarton>
>>>>> Doug Barton <dougb [at] dougbarton> wrote:
> >> Today I mis-typed a passphrase for a symmetrically encrypted file and
> >> was surprised to discover that gpg-agent had stored the bad passphrase
> >> and would not let me access the file. I have occasionally in the past
> >
> > This is a new and probably not too well tested feature. I'll check whey
> > this is going wrong.

> Fair enough, thanks.

That's my fault, sorry. The attached patch should fix the problem.
Could you try it?

2009-08-20 Daiki Ueno <ueno [at] unixuser>

* mainproc.c (proc_encrypted): Clear passphrase cached with S2K
cache ID if decryption failed.
* passphrase.c (passphrase_to_dek_ext): Set dek->s2k_cacheid.
* gpgv.c (passphrase_clear_cache): New stub.
Attachments: clear-symmetric-passphrase.diff (2.70 KB)


dougb at dougbarton

Aug 20, 2009, 10:12 PM

Post #5 of 5 (3429 views)
Permalink
Re: How do I flush a bad symmetric password from gpg-agent? [In reply to]

Daiki Ueno wrote:
>>>>>> In <4A8C5344.4060701__17863.5451746688$1250713354$gmane$org [at] dougbarton>
>>>>>> Doug Barton <dougb [at] dougbarton> wrote:
>>>> Today I mis-typed a passphrase for a symmetrically encrypted file and
>>>> was surprised to discover that gpg-agent had stored the bad passphrase
>>>> and would not let me access the file. I have occasionally in the past
>>> This is a new and probably not too well tested feature. I'll check whey
>>> this is going wrong.
>
>> Fair enough, thanks.
>
> That's my fault, sorry. The attached patch should fix the problem.
> Could you try it?

Thanks! This produces the following output with the wrong passphrase:

gpg --decrypt file.gpg
[...]
gpg: DBG: cleared passphrase cached with ID: ABCD1234567890
gpg: decryption failed: Bad session key

Then when I try to decrypt the file again I get reprompted for the
passphrase which is a huge improvement. If I had the chance to choose
I would prefer the same sort of UI as the private key or ssh key uses
when the wrong passphrase is entered (e.g., "Invalid passphrase;
please try again") but the change in your patch is definitely a huge
improvement.


Thanks again,

Doug

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.