tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/1110-gpg-agent-isnt-quit-upon-logoutGPGTools: Discussion 2017-09-14T12:06:53Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/145969472012-03-19T23:10:45Z2012-03-19T23:10:45Zgpg-agent isn't quit upon logout<div><p>Hey... Cool. This was my next question.</p></div>Rasputintag:gpgtools.tenderapp.com,2011-11-04:Comment/145969472012-03-20T00:16:59Z2012-03-20T00:16:59Zgpg-agent isn't quit upon logout<div><p>Hi C,</p>
<p>we understand your concern but the problem is a bit more
complicated.<br>
Actually the problem starts with physical access to the machine or
even remote access to it.<br>
Let's assume someone with an admin would indeed have access to your
machine they could just as easily install a key logger which would
record your password the next time you enter it.<br>
We could kill the gpg-agent at logout but it wouldn't help that
cause.</p>
<p>If someone were to login to your computer from remote again,
while you're running a session, they could again simply use a sudo
command and possibly access the gpg-agent cache to decrypt your
file.</p>
<p>So, it's true, we could add a logout hook to OS X which killed
gpg-agent instances, but it wouldn't help security much.</p>
<p>The best way to go, if you're files are that sensitive, is
setting the cache time of gpg-agent to 0 and keep your .gnupg
folder on a data-stick.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/145969472012-03-20T00:46:31Z2012-03-20T00:46:31Zgpg-agent isn't quit upon logout<div><p>I think this is - "we have do ALL what we can do for your
security - the tag is your job" - matter.</p>
<p>Simply duty-exercise without ifs, ands or buts :-)</p></div>Rasputintag:gpgtools.tenderapp.com,2011-11-04:Comment/145969472012-03-20T14:40:11Z2012-03-20T14:40:11Zgpg-agent isn't quit upon logout<div><p>OK. I still think it should be built into GPGtools, but never
mind.</p>
<p>I've created a workaround that I'd like to share in this
discussion, followed by a question to the support staff.</p>
<p>The Workaround: create a LogoutHook that calls a shell script
that stops the agent. Create a script like this:</p>
<pre>
<code> #!/bin/bash
killall -u $1 gpg-agent</code>
</pre>
<p>In Apple's (deprecated) hooks, $1 points to whoever the user who
initiated the Login/out is. We need that part lest it be the case
that "anybody's logout kills everybody's gpg-agent". Store that
script wherever you want, and do:</p>
<p>sudo defaults write com.apple.loginwindow LogoutHook
"/users/myusername/scriptlocation/script.sh"</p>
<p>Now whenever anyone logs out, their agent goes away.</p>
<p>My question for the support staff is: is using killall a safe
way to stop the agent? Or does that wind up leaving cache files
laying around? Is there a better command to use?</p></div>C. Dizatag:gpgtools.tenderapp.com,2011-11-04:Comment/145969472012-03-20T14:59:44Z2012-03-20T14:59:44Zgpg-agent isn't quit upon logout<div><p>The workaround we've discussed looks exactly the same, so yes,
this works.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/145969472012-03-23T20:39:54Z2012-03-23T20:39:54Zgpg-agent isn't quit upon logout<div><p>I suddenly started seeing gpg-agent running for some of my
process daemon users (e.g., rabbitmq). Examining
org.gpgtools.macgpg2.gpg-agent.plist in /Library/LaunchAgents/, I
was confused to see LimitLoadToSessionType set to Background when I
would have sworn it had been set to Aqua.</p>
<p>Now I've learned that the MacGPG2 installer writes a
org.gpgtools.macgpg2.gpg-agent.plist with LimitLoadToSessionType
set to Background, and it is gpgtools-autofix.sh fixMacGPG2 which
has been re-setting this to Aqua in order to allow keychain support
in Lion.</p>
<p>With LimitLoadToSessionType set to Aqua, my gpg-agent seems to
be terminated when I logout.</p></div>cfrairetag:gpgtools.tenderapp.com,2011-11-04:Comment/145969472012-04-04T19:24:56Z2012-04-10T22:20:09Zgpg-agent isn't quit upon logout<div><p>Ok, looks like we have a nice workaround for this problem.</p>
<p>This issue won't exist in MacGPG2 2.0.19 because 2.0.19 won't
use the launch agent.</p>
<p>So closing this discussion.</p>
<p>@Diza: Please open a new discussion should you have more
questions or re-open this one here, if you have sth you'd like to
add...</p>
<p>All the best :)<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/145969472012-04-09T16:48:56Z2012-04-09T16:48:56Zgpg-agent isn't quit upon logout<div><p>@Steve: Uh, I'm confused. I'm using 2.0.18 and there is no
launch-agent being used. When I installed 2.0.18 it removed the
launch-agent that used to be there and didn't replace it with
anything; and yet I was still having the issue of gpg-agent not
dying at logout. In fact, it was my noticing that gpg-agent STILL
wouldn't die even after the launch-agent was removed that made me
irritated enough to start this thread.</p>
<p>So I don't think the issue is solved by the absence of
launch-agents.</p></div>C. Dizatag:gpgtools.tenderapp.com,2011-11-04:Comment/145969472012-04-09T17:54:20Z2012-04-09T17:54:20Zgpg-agent isn't quit upon logout<div><p>Hi c,</p>
<p>it's true this issue isn't resolved since we don't<br>
necessarily consider it an issue, based upon the points
outlined<br>
in one of my previous posts.</p>
<p>2.0.19 does away with the launch agent since gpg starts<br>
gpg-agent on demand.</p>
<p>You're best option is still the logout hook.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/145969472012-04-12T16:09:46Z2012-04-12T16:09:47Zgpg-agent isn't quit upon logout<div><p>The reason I was confused is that Steve seemed to suggest that
there would no longer be a need for my logouthook workaround once
2.0.19 comes out, for the reason that 2.0.19 does away with the
launchagent.</p>
<p>This confused me because 2.0.18 <em>already</em> did away with
the launchagent (at least it did on my machines), and yet I still
need the logouthook.</p>
<p>By "I don't think the issue is solved by the absence of
launch-agents", I simply meant "the absence of a launchagent does
not mean I no longer need the logouthook"---the latter is what I
thought Steve was saying...but I was wrong :)</p></div>C. Dizatag:gpgtools.tenderapp.com,2011-11-04:Comment/145969472012-04-12T17:19:49Z2012-04-12T17:19:49Zgpg-agent isn't quit upon logout<div><p>Diza, to be honest: It was a misunderstanding on my side. You
are perfectly right about this.</p></div>Steve