Red Hat Bugzilla – Bug 588080
need option to throw away key materials after some time
Last modified: 2015-03-25 08:28:43 EDT
There appears to be no preference available for gnome-keyring-daemon
to have it destroy unlocked key materials such as ssh private keys after a
certain period of elapsed or idle time. It would be nice if, like sudo,
such unlocked keys were optionally time-limited. See ssh-agent -t LIFETIME.
Filed upstream: https://bugzilla.gnome.org/show_bug.cgi?id=617527
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
In particular, it really needs a way to clear key material when the machine is suspended.
There's nothing like discovering that GNOME has taken it upon its self to cache your PGP private key in memory while the machine is asleep, so you go to decrypt some sensitive financial information and wham, it just spits it out on the console with no password prompt.
That was the point when I went into "burn it with fire" mode with gnome-keyring. This is a horrendous security bug.
(Worse, if you check the option to remember the key, it's not easy to then *unremember* it later).
To disable GNOME keyring daemon's ssh and gpg support in today's GNOME flavour (3.14):
* Add 'Hidden=true' to the ssh and gpg files for gnome-keyring-daemon in /etc/xdg/autostart/
* Create /etc/X11/xinit/xinitrc.d/ssh-agent.sh conaining:
* chmod a+x /etc/X11/xinit/xinitrc.d/ssh-agent.sh
* Log out, log in, breathe sigh of relief.
See also #1205552
(In reply to Craig Ringer from comment #3)
> * Log out, log in, breathe sigh of relief.
Glad you feel better :-)
In the meantime, I suggest following the upstream bug wrt to progress in this area.