[Bug 3155] openssh support hostkey encrypt
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Apr 27 13:12:11 AEST 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3155
--- Comment #2 from kircher <kircherlike at outlook.com> ---
(In reply to Damien Miller from comment #1)
> First, you might be interested in ssh'd support for ssh-agent. This
> allows you to do what you want without modifying sshd. Basically you
> need to load your hostkeys in to a ssh-agent and tell sshd to use it
> via the HostKeyAgent directive.
>
> In answer to your question: in theory yes, but there are two
> problems.
>
> 1) where would the passphrase come from? It would need to be
> supplied each time sshd is started (e.g. at reboot)
>
> 2) There is some subtlety around sshd's self-reexecution behaviour.
> You'd need to ensure that the passphrase is available at re-exec
> time too.
ssh-agent is a good command, but it binds the hostkey lifecycle to the
ssh-agent process in consideration of its use to manage the hostkey.
This means that if I don't want to keep a hostkey on the disk for a
long time with an empty password, it will change once ssh-agent
restarts.
For the two questions you asked:
1)We can read the content of /dev/random (for example, 20 readable
characters) as a passphrase when each hostkey is generated. This
passphrase will be stored in our private database. Each time the client
initiates an SSH login, the server reads the passphrase from the
database to decrypt the hostkey with the sshkey_load_private function.
This process does not need to be perceived by the client. For the
client, it does not need to know whether the server's hostkey is
encrypted.
2)Similarly, the method of reading the passphrase from the database can
also be used when sshd is executed again.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list