https://bugzilla.mindrot.org/show_bug.cgi?id=3155
--- Comment #2 from kircher <[email protected]> --- (In reply to Damien Miller from comment #1) > First, you might be interested in ssh'd support for ssh-agent. This > allows you to do what you want without modifying sshd. Basically you > need to load your hostkeys in to a ssh-agent and tell sshd to use it > via the HostKeyAgent directive. > > In answer to your question: in theory yes, but there are two > problems. > > 1) where would the passphrase come from? It would need to be > supplied each time sshd is started (e.g. at reboot) > > 2) There is some subtlety around sshd's self-reexecution behaviour. > You'd need to ensure that the passphrase is available at re-exec > time too. ssh-agent is a good command, but it binds the hostkey lifecycle to the ssh-agent process in consideration of its use to manage the hostkey. This means that if I don't want to keep a hostkey on the disk for a long time with an empty password, it will change once ssh-agent restarts. For the two questions you asked: 1)We can read the content of /dev/random (for example, 20 readable characters) as a passphrase when each hostkey is generated. This passphrase will be stored in our private database. Each time the client initiates an SSH login, the server reads the passphrase from the database to decrypt the hostkey with the sshkey_load_private function. This process does not need to be perceived by the client. For the client, it does not need to know whether the server's hostkey is encrypted. 2)Similarly, the method of reading the passphrase from the database can also be used when sshd is executed again. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
