Another candidate might be ssh-keysign > Am 15.01.2016 um 12:54 schrieb Alexander Wuerstlein <arw@xxxxxxxxx>: > >> On 2016-01-15T11:23, Thomas Calderon <calderon.thomas@xxxxxxxxx> wrote: >> How about using the existing OpenSSH client's PKCS#11 support to >> isolate keying material in a dedicated process? >> >> A similar approach, "Practical key privilege separation using Caml >> Crush", was discussed at FOSDEM'15 with a focus on >> Heatbleed [1][2] but the ideas and principles are the same. >> >> Now this is easily done using the following available components: >> - SoftHSM to store the crypto keys >> - Caml-Crush server components load the SoftHSM middleware (access >> the keys) in a dedicated process >> - SSH client loads Caml-Crush PKCS#11 middleware that connects to >> its daemon and allows to sign SSH exchange to authenticate >> >> No patch needed. > > Well, yes, that could of course work, but there is already an easier, > existing and included-in-OpenSSH solution that does separate keying > material: ssh-agent. > > My proposal was just to automate spawning it, thereby making things > transparent and easy for users. The solution you describe sounds[1] a bit > more complicated than even the current state of manually starting > ssh-agent and ssh-add-ing all keys. > > > > Ciao, > > Alexander Wuerstlein. > > [1] I may be wrong there, of course > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev