Linux in-kernel keys support

Michael A Stevens mstevens at cmu.edu
Thu Jul 28 07:44:12 EST 2005


This is an interesting patch if you want to protect against keys against 
attacks from being swapped out, or being ptraced by root. The crowd that 
this could benefit is limited as you can only ptrace ssh-agent as root and 
on most systems root can read kernel memory. I would think that most 
systems where root can not read the kernel memory root would also not be 
able to ptrace other processes. It is very easy to steal keys out of 
ssh-agent as root though, and the hashed known_hosts file makes access 
extension attacks based on this more difficult.

Mike Stevens

On Wed, 27 Jul 2005, Damien Miller wrote:

> On Tue, 26 Jul 2005, DavidHärdeman wrote:
>
>> Hi all,
>> 
>> I recently made a patch to openssh 4.1p1 to allow it to use the in-kernel 
>> key management provided by 2.6.12 or later Linux kernels.
>
> I'm not sure I understand this: just the patch just make ssh store and 
> retrieve user authentication pubkeys from the kernel key store? It doesn't 
> appear to any kernel facilities to do the actual signing of challenges.
>
> -d
>


More information about the openssh-unix-dev mailing list