[Bug 1974] Support for encrypted host keys

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jul 5 19:44:34 EST 2013


Markus Friedl <markus at openbsd.org> changed:

           What    |Removed                     |Added
                 CC|                            |markus at openbsd.org

--- Comment #3 from Markus Friedl <markus at openbsd.org> ---
(In reply to Zev Weiss from comment #2)
> djm's mailing list reply:
> > I think it is down to adding another ssh_config option to configure a well-
> > known agent socket for ssh-keysign or making ssh-keysign read sshd_config
> > too. The latter might be desirable, since then it could detect which keys
> > are actually in use. That being said, making it read ssh_config would be
> > more flexible if people ran multiple ssh instances on their hosts. Maybe
> > there is some third option that hasn't occurred to me...

1) calling both readconf() for ssh_config and sshd_config
   easy fix: rename struct options for either client or server config
2) however: i don't like the idea of having ssh-keysign
   run the parser code while running w/ uid 0
   we should avoid running that much code in a setuid tool...
   perhaps just disallow ssh-keysign for ssh-agent-setups :)

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list