[Bug 1974] Support for encrypted host keys
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Jun 26 13:10:31 EST 2013
https://bugzilla.mindrot.org/show_bug.cgi?id=1974
Zev Weiss <zev at bewilderbeest.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |zev at bewilderbeest.net
Attachment #2125|0 |1
is obsolete| |
--- Comment #1 from Zev Weiss <zev at bewilderbeest.net> ---
Created attachment 2303
--> https://bugzilla.mindrot.org/attachment.cgi?id=2303&action=edit
Incomplete patch for sshd to use ssh-agent for hostkeys
>From mailing list post:
...assuming things look OK thus far, I'm considering how best to handle
the ssh-keysign problem. Since it's executed by a user's ssh client,
it
won't have the server's SSH_AUTH_SOCK environment variable, so finding
the
socket to connect to is slightly tricky -- any problems with changing
it to
a (configurable) static, globally-known path? Assuming not, then
there's
the question of *where* that would be configured -- sshd would need to
know
it, but ssh-keysign reads ssh_config, not sshd_config; requiring the
user
to configure the same path in both seems undesirable, as does having
either
one loading the other's config file. I guess making it compile-time
configurable would sort of work, but also doesn't seem like a great
solution. Any thoughts or suggestions on this? Having a static,
configurable socket path does seem nice otherwise, so sshd could just
spawn
its own agent passing "-a $SOCKETPATH" if it encounters an encrypted
hostkey on startup, rather than, say, relying on an init script to
launch
ssh-agent and export the SSH_AUTH_SOCK variable to sshd (though I
suppose
there's really nothing stopping it from doing that anyway without a
static
socket path).
This version also (somewhat unnecessarily) bundles public keys into the
sensitive_data struct, but I didn't really see a more appropriate place
to
stash those.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list