On Thursday, December 5, 2019 5:53:18 AM MST Nico Kadel-Garcia wrote: > On Wed, Dec 4, 2019 at 9:24 PM John M. Harris Jr <johnmh@xxxxxxxxxxxxx> > wrote: > > > > > > On Wednesday, December 4, 2019 6:02:07 PM MST Kevin Kofler wrote: > > > > > John M. Harris Jr wrote: > > > > > > > > > > > > > Well, you could theoretically use ssh-agent (or equivalent), without > > > > changing the protocol in any way. > > > > > > > > > > > > > > > You need protocol support to do this securely. Otherwise, your ssh-agent > > > is > > > > > a decryption oracle which can be used by an attacker to decrypt your > > > LUKS > > > > > > keyfile on demand. The decryption should only be possible as part of > > > the > > > login process after the server fingerprint has been verified and before > > > arbitrary application data can be sent. > > > > > > > > Oh, of course after fingerprint verification. Luckily, that can be > > accomplished by forcing a fake shell which would run a check to see if > > the > > home directory is already mounted. If it's not, it'd use the ssh agent, > > or > > equivalent, then execute the real shell. If it's already mounted, short > > circuit to the last step, executing the real shell. > > > Let's not go too far down the "gummy fingerprint" thread. If a > sophisticated person has your laptop, they probably have your > fingerprints, and very few fingerprint scanners successfully resist a > duplicated and printed fingerprint. We were talking about ssh key fingerprints. I would never suggest fingerprint scanners as a form of security. -- John M. Harris, Jr. Splentity _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
