PEM file opened without DIRECT I/O which makes private key readable by attacker exploiting MELTDOWN
Philipp Marek
philipp at marek.priv.at
Sun Jan 7 06:38:28 AEDT 2018
> I think we are possibly interested in switching to DIRECT IO (given
> that it
> bypasses any caching system including page cache) when reading *.PEM
> file
Sorry, but this makes no sense.
The data could just as well be read from the SSH process
memory space.
Direct IO has some additional complexity; this may well
be avoided.
It makes *zero* sense to panic now and start "hardening"
[which direct IO wouldn't even be!] individual programs -
if separate memory spaces are not available,
"all hope is lost".
More information about the openssh-unix-dev
mailing list