[Bug 1974] New: Support for encrypted host keys

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Feb 1 03:22:09 EST 2012


https://bugzilla.mindrot.org/show_bug.cgi?id=1974

             Bug #: 1974
           Summary: Support for encrypted host keys
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.9p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: zevweiss at gmail.com


Created attachment 2125
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2125
Patch to implement support for encrypted host keys in sshd

(Copy/paste from this post to the mailing list:
http://marc.info/?l=openssh-unix-dev&m=132774431906364&w=2)

I recently found myself wanting to run sshd with passphrase-protected
host keys rather than the usual unencrypted format, and was somewhat
surprised to discover that sshd did not support this.  I'm not sure if
there's any particular reason for that, but I've developed the
[attached] patch (relative to current CVS at time of writing) that
implements this.  It prompts for the passphrase when the daemon is
started, similarly to Apache's behavior with encrypted SSL
certificates.

My initial implementation instead operated by passing the passphrase
along to the rexec child, but I decided I thought it was slightly nicer
to decrypt the key once and pass it along rather than redoing it every
time.  I can send the previous version if that would be preferred
though -- this key-passing version does have some resulting ugliness in
its handling of options.num_host_key_files, as described in a comment
in the patch.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list