Proposal: always handle keys in separate process
Alexander Wuerstlein
arw at cs.fau.de
Fri Jan 15 22:54:16 AEDT 2016
On 2016-01-15T11:23, Thomas Calderon <calderon.thomas at gmail.com> wrote:
> How about using the existing OpenSSH client's PKCS#11 support to
> isolate keying material in a dedicated process?
>
> A similar approach, "Practical key privilege separation using Caml
> Crush", was discussed at FOSDEM'15 with a focus on
> Heatbleed [1][2] but the ideas and principles are the same.
>
> Now this is easily done using the following available components:
> - SoftHSM to store the crypto keys
> - Caml-Crush server components load the SoftHSM middleware (access
> the keys) in a dedicated process
> - SSH client loads Caml-Crush PKCS#11 middleware that connects to
> its daemon and allows to sign SSH exchange to authenticate
>
> No patch needed.
Well, yes, that could of course work, but there is already an easier,
existing and included-in-OpenSSH solution that does separate keying
material: ssh-agent.
My proposal was just to automate spawning it, thereby making things
transparent and easy for users. The solution you describe sounds[1] a bit
more complicated than even the current state of manually starting
ssh-agent and ssh-add-ing all keys.
Ciao,
Alexander Wuerstlein.
[1] I may be wrong there, of course
More information about the openssh-unix-dev
mailing list