NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: lib/44075: libnetpgp: limit the number of passphrase prompts



The following reply was made to PR lib/44075; it has been noted by GNATS.

From: Alistair Crooks <agc%pkgsrc.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: lib-bug-people%NetBSD.org@localhost, gnats-admin%NetBSD.org@localhost, 
netbsd-bugs%NetBSD.org@localhost
Subject: Re: lib/44075: libnetpgp: limit the number of passphrase prompts
Date: Wed, 10 Nov 2010 07:22:24 +0100

 On Tue, Nov 09, 2010 at 07:10:01PM +0000, roam%ringlet.net@localhost wrote:
 > >Description:
 > There ought to be a cap on the number of times the user may enter
 > an invalid passphrase :)  Add to this the fact that netpgp cannot
 > be aborted with ^C or ^Z...
 
 Well, that's dependent on the platform - e.g.:
 
 % netpgp -d c.gpg
 netpgp: default key set to "C0596823"
 signature  2048/RSA (Encrypt or Sign) 1b68dcfcc0596823 2004-01-12
 Key fingerprint: d415 9deb 336d e4cc cdfa 00cd 1b68 dcfc c059 6823
 uid              Alistair Crooks <alistair%hockley-crooks.com@localhost>
 uid              Alistair Crooks <agc%pkgsrc.org@localhost>
 uid              Alistair Crooks <agc%netbsd.org@localhost>
 uid              Alistair Crooks <agc%alistaircrooks.com@localhost>
 uid              Alistair Crooks (Yahoo!) <agcrooks%yahoo-inc.com@localhost>
 encryption 2048/RSA (Encrypt or Sign) 79deb61e488eee74 2004-01-12
 netpgp passphrase:
 
 % uname -a
 NetBSD osx-vm1.crowthorne.alistaircrooks.co.uk 5.99.26 NetBSD 5.99.26 
(GENERIC) #0: Mon Apr  5 15:32:36 PDT 2010  
agc%osx-vm1.crowthorne.alistaircrooks.co.uk@localhost:/usr/obj/i386/usr/src/sys/arch/i386/compile/GENERIC
 i386
 %
 
 I hit ^C at the passphrase prompt above.  This does not happen on
 Linux (I tried RHEL, but sounds like other variants behave the same
 way).
 
 > >How-To-Repeat:
 > Try to decrypt something, decide you don't want to do this just now,
 > feel the need to switch to another terminal to 'killall netpgp' :)
 
 I can understand this, but I don't like limiting it.
 
 > >Fix:
 > Apply the patch at:
 > http://devel.ringlet.net/security/netpgp/patches/12-limit-passphrase.patch
 > 
 > (and yes, I'm aware that with this patch, netpgp --decrypt
 > foo.txt.gpg with three wrong passphrase tries will generate an empty
 > foo.txt; still trying to track this down)
 
 Yeah, and to add to that I'm aware that gnupg limits the number of
 attempts to enter the passphrase, as does ssh, and I really don't like
 that.
 
 Regards,
 Alistair
 


Home | Main Index | Thread Index | Old Index