Re: Proposal: always handle keys in separate process

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



OpenSSH already has an agent protocol, that is much more simple than
this whole pkcs11 thing and already has both sides implemented. I could
see an OpenSSH client starting an ephemeral ssh-agent that will do the
key handling.

Implicit identities could be removed from the default configuration,
too. Most users already have an agent and aren't aware it exists, and
having to type the passphrase every time encourages users to have
unencrypted keys.

Aris

On 15/01/16 11:22, Thomas Calderon wrote:
> How about using the existing OpenSSH client's PKCS#11 support to
> isolate keying material in a dedicated process?
>
> A similar approach, "Practical key privilege separation using Caml
> Crush", was discussed at FOSDEM'15 with a focus on
> Heatbleed [1][2] but the ideas and principles are the same.
>
> Now this is easily done using the following available components:
>   - SoftHSM to store the crypto keys
>   - Caml-Crush server components load the SoftHSM middleware (access
> the keys) in a dedicated process
>   - SSH client loads Caml-Crush PKCS#11 middleware that connects to
> its daemon and allows to sign SSH exchange to authenticate
>
> No patch needed.
>
> Hope this helps,
>
> Thomas
>
> [1] https://archive.fosdem.org/2015/schedule/event/caml_crush/
> [2] https://github.com/ANSSI-FR/caml-crush
>
>
> On Fri, Jan 15, 2016 at 9:30 AM, Loganaden Velvindron
> <loganaden@xxxxxxxxx> wrote:
>> On Thu, Jan 14, 2016 at 7:12 PM, Alexander Wuerstlein <arw@xxxxxxxxx> wrote:
>>> Hello,
>>>
>>> in light of the recent CVE-2016-0777, I came up with the following idea,
>>> that would have lessened its impact. Feel free to ignore or flame me,
>>> maybe its stupid or I missed something :)
>>>
>> Feel free to come up with a patch. In OpenSSH, it's a good idea to
>> follow-up with a patch :)
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev@xxxxxxxxxxx
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux