NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: lib/44075: libnetpgp: limit the number of passphrase prompts



On Tue, Nov 09, 2010 at 07:10:01PM +0000, roam%ringlet.net@localhost wrote:
> >Description:
> There ought to be a cap on the number of times the user may enter
> an invalid passphrase :)  Add to this the fact that netpgp cannot
> be aborted with ^C or ^Z...

Well, that's dependent on the platform - e.g.:

% netpgp -d c.gpg
netpgp: default key set to "C0596823"
signature  2048/RSA (Encrypt or Sign) 1b68dcfcc0596823 2004-01-12
Key fingerprint: d415 9deb 336d e4cc cdfa 00cd 1b68 dcfc c059 6823
uid              Alistair Crooks <alistair%hockley-crooks.com@localhost>
uid              Alistair Crooks <agc%pkgsrc.org@localhost>
uid              Alistair Crooks <agc%netbsd.org@localhost>
uid              Alistair Crooks <agc%alistaircrooks.com@localhost>
uid              Alistair Crooks (Yahoo!) <agcrooks%yahoo-inc.com@localhost>
encryption 2048/RSA (Encrypt or Sign) 79deb61e488eee74 2004-01-12
netpgp passphrase:

% uname -a
NetBSD osx-vm1.crowthorne.alistaircrooks.co.uk 5.99.26 NetBSD 5.99.26 (GENERIC) 
#0: Mon Apr  5 15:32:36 PDT 2010  
agc%osx-vm1.crowthorne.alistaircrooks.co.uk@localhost:/usr/obj/i386/usr/src/sys/arch/i386/compile/GENERIC
 i386
%

I hit ^C at the passphrase prompt above.  This does not happen on
Linux (I tried RHEL, but sounds like other variants behave the same
way).

> >How-To-Repeat:
> Try to decrypt something, decide you don't want to do this just now,
> feel the need to switch to another terminal to 'killall netpgp' :)

I can understand this, but I don't like limiting it.

> >Fix:
> Apply the patch at:
> http://devel.ringlet.net/security/netpgp/patches/12-limit-passphrase.patch
> 
> (and yes, I'm aware that with this patch, netpgp --decrypt
> foo.txt.gpg with three wrong passphrase tries will generate an empty
> foo.txt; still trying to track this down)

Yeah, and to add to that I'm aware that gnupg limits the number of
attempts to enter the passphrase, as does ssh, and I really don't like
that.

Regards,
Alistair


Home | Main Index | Thread Index | Old Index