Package: gnupg-agent Version: 2.0.4-1 Severity: important
Hi! I use gpg-agent as ssh caching agent. I unfortunately found a bug here. Situation: Machine A and Machine B - user U have different keys on both machines. set up with agent forwarding and such stuff. When U haven't logged in from A to B, everything works as expected. The user is promptet for passphrase for the key installed on the machine in the users home dir on that machine. But but but. If the user logs in from machine A to machine B - does something and logs out - then on machine B the user is asked for passphrases for the key on machine A. entering the correct passphrase for the key on machine A makes the user on machine B log in everywhere the user on machine A has access. This should be impossible, but somehow the two sessions mixes up. If the user on machine B kills gpg-agent, logs out, logs back in - the user on machine B does still have access to the key on machine A. A reboot is needed to clear this. (Maybe this issue is actually grave - user security hole) /Sune -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (200, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.20-1-vserver-k7 (SMP w/1 CPU core) Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages gnupg-agent depends on: ii libc6 2.5-10 GNU C Library: Shared libraries ii libgcrypt11 1.2.4-2 LGPL Crypto library - runtime libr ii libgpg-error0 1.4-2 library for common error values an ii libpth20 2.0.7-8 The GNU Portable Threads Versions of packages gnupg-agent recommends: ii gnupg 1.4.6-2 GNU privacy guard - a free PGP rep ii gnupg2 2.0.4-1 GNU privacy guard - a free PGP rep ii gpgsm 2.0.4-1 GNU privacy guard - S/MIME version ii pinentry-qt [pinentry] 0.7.2-3 Qt-based PIN or pass-phrase entry -- debconf-show failed -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
