Bug 588080

Summary:	need option to throw away key materials after some time
Product:	[Fedora] Fedora	Reporter:	Frank Ch. Eigler <fche>
Component:	gnome-keyring	Assignee:	Matthias Clasen <mclasen>
Status:	NEW ---	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	low
Version:	rawhide	CC:	craig, walters
Target Milestone:	---	Keywords:	FutureFeature
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Frank Ch. Eigler 2010-05-02 14:58:26 UTC

There appears to be no preference available for gnome-keyring-daemon
to have it destroy unlocked key materials such as ssh private keys after a 
certain period of elapsed or idle time.  It would be nice if, like sudo,
such unlocked keys were optionally time-limited.  See ssh-agent -t LIFETIME.

Comment 1 Tomáš Bžatek 2010-05-03 13:54:06 UTC

Filed upstream: https://bugzilla.gnome.org/show_bug.cgi?id=617527

Comment 2 Fedora Admin XMLRPC Client 2013-05-08 22:41:21 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 3 Craig Ringer 2015-03-25 07:59:20 UTC

In particular, it really needs a way to clear key material when the machine is suspended.

There's nothing like discovering that GNOME has taken it upon its self to cache your PGP private key in memory while the machine is asleep, so you go to decrypt some sensitive financial information and wham, it just spits it out on the console with no password prompt.

That was the point when I went into "burn it with fire" mode with gnome-keyring. This is a horrendous security bug.

(Worse, if you check the option to remember the key, it's not easy to then *unremember* it later).

To disable GNOME keyring daemon's ssh and gpg support in today's GNOME flavour (3.14):

* Add 'Hidden=true' to the ssh and gpg files for gnome-keyring-daemon in /etc/xdg/autostart/

* Create /etc/X11/xinit/xinitrc.d/ssh-agent.sh conaining:

#!/bin/bash
eval `ssh-agent`

* chmod a+x /etc/X11/xinit/xinitrc.d/ssh-agent.sh

* Log out, log in, breathe sigh of relief.

Comment 4 Craig Ringer 2015-03-25 08:12:51 UTC

See also #1205552

Comment 5 Matthias Clasen 2015-03-25 12:28:43 UTC

(In reply to Craig Ringer from comment #3)
 
> * Log out, log in, breathe sigh of relief.

Glad you feel better :-)

In the meantime, I suggest following the upstream bug wrt to progress in this area.