PATCH: Support for encrypted host keys

Daniel Kahn Gillmor dkg at
Wed Feb 1 03:58:56 EST 2012

On 01/31/2012 10:37 AM, Ángel González wrote:

> Daniel, I think he refers to /etc/ssh/ssh_host_*key, not ~/.ssh/known_hosts

Ah, you're right.  sorry, i misinterpreted (and clearly didn't read the
patch).  Thanks for the correction.

Zev, am i right in thinking that your approach to this problem seems to
make it so that launching sshd might or might not prompt the user for a
passphrase when starting up?  This might be tricky or cause trouble with
many common init systems.

What about an approach instead that allows sshd to talk to a running
ssh-agent for its keys?  Then a system administrator could load the host
key to the system ssh-agent at any point, leaving them
passphrase-protected on disk.

This seems like it might be less code introduced, and it also introduces
a nice symmetry with the ssh client.  Also, improvements with the agent
(e.g. connecting to smartcards) would flow naturally to sshd as well.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list