Re: Proposal: always handle keys in separate process

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Another candidate might be ssh-keysign 

> Am 15.01.2016 um 12:54 schrieb Alexander Wuerstlein <arw@xxxxxxxxx>:
> 
>> On 2016-01-15T11:23, Thomas Calderon <calderon.thomas@xxxxxxxxx> wrote:
>> How about using the existing OpenSSH client's PKCS#11 support to
>> isolate keying material in a dedicated process?
>> 
>> A similar approach, "Practical key privilege separation using Caml
>> Crush", was discussed at FOSDEM'15 with a focus on
>> Heatbleed [1][2] but the ideas and principles are the same.
>> 
>> Now this is easily done using the following available components:
>>  - SoftHSM to store the crypto keys
>>  - Caml-Crush server components load the SoftHSM middleware (access
>> the keys) in a dedicated process
>>  - SSH client loads Caml-Crush PKCS#11 middleware that connects to
>> its daemon and allows to sign SSH exchange to authenticate
>> 
>> No patch needed.
> 
> Well, yes, that could of course work, but there is already an easier, 
> existing and included-in-OpenSSH solution that does separate keying
> material: ssh-agent.
> 
> My proposal was just to automate spawning it, thereby making things
> transparent and easy for users. The solution you describe sounds[1] a bit
> more complicated than even the current state of manually starting
> ssh-agent and ssh-add-ing all keys.
> 
> 
> 
> Ciao,
> 
> Alexander Wuerstlein.
> 
> [1] I may be wrong there, of course
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux