Re: OpenSSH Wipe Keys from RAM on Suspend

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sat, 2020-09-19 at 23:17 +0000, procmem@xxxxxxxxxx wrote:
> Hi. There is a new cryptsetup feature that is supposed to protect
> user data while the PC is in standby. It wipes the key from RAM when
> sleep events are triggered. While it protects LUKS, other data and
> keys loaded in RAM at the time are still vulnerable to forensic
> recovery. Can you please consider adding a sleep key cache wipe
> feature to OpemSSH?

It already exists:

ssh-add -D

you just have to plumb it in to the suspend hooks.  It's also not
really the big problem: most people have gnome-keyring/kde-wallet
manage these keys.  Nowadays it runs ssh-agent under the covers and adds the keys from the config files based on the passwords in the login keyring, so you'd have to lock the login keyring as well on suspend and unlock it on resume ... probably by hooking the screensaver password in to it somehow and then have it re-populate ssh-agent.  That's a lot of highly distro specific plumbing.

James


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux