Linux in-kernel keys support
Michael A Stevens
mstevens at cmu.edu
Thu Jul 28 07:44:12 EST 2005
This is an interesting patch if you want to protect against keys against
attacks from being swapped out, or being ptraced by root. The crowd that
this could benefit is limited as you can only ptrace ssh-agent as root and
on most systems root can read kernel memory. I would think that most
systems where root can not read the kernel memory root would also not be
able to ptrace other processes. It is very easy to steal keys out of
ssh-agent as root though, and the hashed known_hosts file makes access
extension attacks based on this more difficult.
Mike Stevens
On Wed, 27 Jul 2005, Damien Miller wrote:
> On Tue, 26 Jul 2005, DavidHärdeman wrote:
>
>> Hi all,
>>
>> I recently made a patch to openssh 4.1p1 to allow it to use the in-kernel
>> key management provided by 2.6.12 or later Linux kernels.
>
> I'm not sure I understand this: just the patch just make ssh store and
> retrieve user authentication pubkeys from the kernel key store? It doesn't
> appear to any kernel facilities to do the actual signing of challenges.
>
> -d
>
More information about the openssh-unix-dev
mailing list