How about using the existing OpenSSH client's PKCS#11 support to isolate keying material in a dedicated process? A similar approach, "Practical key privilege separation using Caml Crush", was discussed at FOSDEM'15 with a focus on Heatbleed [1][2] but the ideas and principles are the same. Now this is easily done using the following available components: - SoftHSM to store the crypto keys - Caml-Crush server components load the SoftHSM middleware (access the keys) in a dedicated process - SSH client loads Caml-Crush PKCS#11 middleware that connects to its daemon and allows to sign SSH exchange to authenticate No patch needed. Hope this helps, Thomas [1] https://archive.fosdem.org/2015/schedule/event/caml_crush/ [2] https://github.com/ANSSI-FR/caml-crush On Fri, Jan 15, 2016 at 9:30 AM, Loganaden Velvindron <loganaden@xxxxxxxxx> wrote: > On Thu, Jan 14, 2016 at 7:12 PM, Alexander Wuerstlein <arw@xxxxxxxxx> wrote: >> Hello, >> >> in light of the recent CVE-2016-0777, I came up with the following idea, >> that would have lessened its impact. Feel free to ignore or flame me, >> maybe its stupid or I missed something :) >> > > Feel free to come up with a patch. In OpenSSH, it's a good idea to > follow-up with a patch :) > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
