PATCH: Support for encrypted host keys
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Feb 1 03:58:56 EST 2012
On 01/31/2012 10:37 AM, Ángel González wrote:
> Daniel, I think he refers to /etc/ssh/ssh_host_*key, not ~/.ssh/known_hosts
Ah, you're right. sorry, i misinterpreted (and clearly didn't read the
patch). Thanks for the correction.
Zev, am i right in thinking that your approach to this problem seems to
make it so that launching sshd might or might not prompt the user for a
passphrase when starting up? This might be tricky or cause trouble with
many common init systems.
What about an approach instead that allows sshd to talk to a running
ssh-agent for its keys? Then a system administrator could load the host
key to the system ssh-agent at any point, leaving them
passphrase-protected on disk.
This seems like it might be less code introduced, and it also introduces
a nice symmetry with the ssh client. Also, improvements with the agent
(e.g. connecting to smartcards) would flow naturally to sshd as well.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120131/fc9ecb8b/attachment.bin>
More information about the openssh-unix-dev
mailing list