https://bugzilla.mindrot.org/show_bug.cgi?id=3155
Darren Tucker <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #3 from Darren Tucker <[email protected]> --- (In reply to kircher from comment #2) [...] > 1)We can read the content of /dev/random (for example, 20 readable > characters) as a passphrase when each hostkey is generated. This > passphrase will be stored in our private database. The host key is only readable by root. Anywhere you could store the passphrase would also be readable by root, so you're not actually buying anything in terms of security. Plus if the database is on another host you'll be adding a bunch of extra points of failure. If you want to protect the host keys against root then you need to do it in hardware, eg by using a pkcs11 hardware token (which is done via ssh-agent). -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
