commit cbc170049d08e28942a2afaf119a292df75df4a4
parent b454895add2196407110e0935ec2f70b1ba9a427
Author: pyratebeard <root@pyratebeard.net>
Date: Thu, 9 Mar 2023 18:59:04 +0000
ttl_soup
Diffstat:
1 file changed, 39 insertions(+), 0 deletions(-)
diff --git a/entry/ttl_soup.md b/entry/ttl_soup.md
@@ -0,0 +1,39 @@
+After switching to using [gpg for my ssh key](20221202-secret_agent_man.html){target="_blank" rel="noreferrer"} I have found one particular issue that started to bug me.
+
+As part of my workflow when I open a terminal and my gpg passphrase TTL has expired I will be prompted to re-enter it. This works well, and I have set the default cache TTL to 28800 seconds which is about 8 hours, roughly a work day.
+
+When I started using gpg-agent for ssh I noticed that this setting was not observed for the ssh key. After a brief investigation I discovered that adding a value after the keygrip in ~/.gnupg/sshcontrol, as noted in the `gpg-agent` man page.
+
+> An entry starts with optional whitespace, followed by the keygrip of the key given as 40 hex digits, optionally followed by the caching TTL in seconds and another optional field for arbitrary flags. A non-zero TTL overrides the global default as set by --default-cache-ttl-ssh.
+
+In my ~/.gnupg/sshcontrol file I put `28800` after the keygrip and restart the agent. This did not appear to have the desired effect.
+
+Eventually I found the time to do a bit more digging. First I checked the ssh ttl options that `gpg-agent` had picked up, to do this incant
+```
+gpgconf --list-options gpg-agent | grep cache-ttl-ssh
+```
+
+I was looking to see if the default settings had been overridden
+```
+default-cache-ttl-ssh:24:1:expire SSH keys after N seconds:3:3:N:1800::
+max-cache-ttl-ssh:24:2:set maximum SSH key lifetime to N seconds:3:3:N:7200::
+```
+
+Looking at the output I can see there is no value in the last field so the default has not been overridden.
+
+By adding the following options to ~/.gnupg/gpg-agent I was able to set the value
+```
+default-cache-ttl-ssh 28800
+max-cache-ttl-ssh 28800
+```
+
+After restarting `gpg-agent` I checked the values and this time it looked good
+```
+ ──── ─ gpgconf --list-options gpg-agent | grep cache-ttl-ssh ~/.default-cache-ttl-ssh:24:1:expire SSH keys after N seconds:3:3:N:1800::28800
+max-cache-ttl-ssh:24:2:set maximum SSH key lifetime to N seconds:3:3:N:7200::28800
+```
+
+This means that now my ssh key passphrase is cached for the duration of the work day.
+
+Now before some of you start shouting that this is not a good idea, I have a script that runs when I lock my screen which kills gpg-agent. This means that if I leave my desk the cached passphrases are dropped. When I return and either open a new terminal or run a command which uses my gpg or ssh keys I will be prompted to re-enter the passphrase. I had decided to set the TTL to 8 hours so that while I am working for long continuous periods I don't need to worry about having to re-enter my passphrase, I am pretty lazy after all.
+