> On Fri 13/12/2019, at 2:14 am, Joakim Tjernlund > <joakim.tjernl...@infinera.com> wrote: > > On Thu, 2019-12-12 at 18:34 +0100, Hans Harder wrote: >> >>> The bigger issue here is why not reread keys at every new session? That >>> seems to like the right thing to do in any case? >> >> Performance...
I don't _think_ there would be any performance problem reloading key files for each session - compared with the key exchange it's not compute intensive. It's better to keep it simple rather than introduce cache invalidation by file timestamps where it isn't needed. I'd been considering moving non-inetd dropbear to use fork/self-exec instead of plain fork() for improved address space randomisation, that would probably require loading keys each time too. That said if I were in the same situation I'd just run "kill `cat /var/run/dropbear.pid; service dropbear start" or similar when writing keyfiles - job done. Cheers, Matt