[Bug 3155] New: openssh support hostkey encrypt
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Apr 26 19:45:00 AEST 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3155
Bug ID: 3155
Summary: openssh support hostkey encrypt
Product: Portable OpenSSH
Version: 8.2p1
Hardware: ARM64
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: kircherlike at outlook.com
We noticed that the sshd.c file contained such a code snippet:
...
for (i = 0; i < options.num_host_key_files; i++) {
int ll = options.host_key_file_userprovided[i] ?
SYSLOG_LEVEL_ERROR : SYSLOG_LEVEL_DEBUG1;
if (options.host_key_files[i] == NULL)
continue;
if ((r = sshkey_load_private(options.host_key_files[i],
"",
&key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR)
do_log2(ll, "Unable to load host key \"%s\":
%s",
options.host_key_files[i], ssh_err(r));
...
By default, an empty string is used as the password for reading the
hostkey. When the hostkey is stolen, the third party can disguise as
the server to obtain some information about the SSH client. We want to
protect it by encrypting the hostkey.
Can we use a non-empty string to encrypt the hostkey?
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list