On 2016-01-15T11:23, Thomas Calderon <calderon.thomas@xxxxxxxxx> wrote: > How about using the existing OpenSSH client's PKCS#11 support to > isolate keying material in a dedicated process? > > A similar approach, "Practical key privilege separation using Caml > Crush", was discussed at FOSDEM'15 with a focus on > Heatbleed [1][2] but the ideas and principles are the same. > > Now this is easily done using the following available components: > - SoftHSM to store the crypto keys > - Caml-Crush server components load the SoftHSM middleware (access > the keys) in a dedicated process > - SSH client loads Caml-Crush PKCS#11 middleware that connects to > its daemon and allows to sign SSH exchange to authenticate > > No patch needed. Well, yes, that could of course work, but there is already an easier, existing and included-in-OpenSSH solution that does separate keying material: ssh-agent. My proposal was just to automate spawning it, thereby making things transparent and easy for users. The solution you describe sounds[1] a bit more complicated than even the current state of manually starting ssh-agent and ssh-add-ing all keys. Ciao, Alexander Wuerstlein. [1] I may be wrong there, of course _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
