From: "David Härdeman" <david@2gen.com>
To: Trond Myklebust <trond.myklebust@fys.uio.no>
Cc: Adrian Bunk <bunk@stusta.de>,
Christoph Hellwig <hch@infradead.org>,
keyrings@linux-nfs.org, linux-kernel@vger.kernel.org
Subject: Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
Date: Sat, 28 Jan 2006 17:57:32 +0100 [thread overview]
Message-ID: <20060128165732.GA8633@hardeman.nu> (raw)
In-Reply-To: <1138466271.8770.77.camel@lade.trondhjem.org>
On Sat, Jan 28, 2006 at 11:37:51AM -0500, Trond Myklebust wrote:
>On Sat, 2006-01-28 at 11:46 +0100, David Härdeman wrote:
>> Not necessarily, if you have your ssh-keys in ssh-agent, a compromise of
>> your account (forgot to lock the screen while going to the bathroom?
>> did the OOM-condition occur which killed the program which locks the
>> screen? remote compromise of the system? local compromise?) means that a large
>> array of attacks are possible against the daemon.
>>
>> In addition, as stated before, the "backup" account, or whatever user the
>> daemon which wants to sign stuff with your key is running as, might be
>> compromised.
>>
>> Currently, if you want to give the daemon access to the keys via
>> ssh-agent (or something similar), you have to change the permissions on
>> the ssh-agent socket to be much less restricted (especially since it's
>> unlikely that you have permission to change the uid or gid of the socket
>> to that of the daemon). Alternatively you can provide the backup daemon
>> with the key directly (via fs, or loaded somehow at startup...etc), but
>> then a compromise of the daemon means that the attacker has the private
>> key.
>>
>> Finally, the in-kernel system also provides a mechanism for the daemon
>> to request the key when it is needed should it realize that the proper
>> key is missing/has changed/whatever.
>
>Then fix ssh, not the kernel. As I said before, this is a problem that
>has been solved entirely in userspace by means of proxy certificates:
>they allow the user to issue time-limited certificates that are signed
>by the original certificate (hence can be authenticated as such), and
>that authorise a service to do a specific thing.
What about the first paragraph of what I wrote? You are going to want to
keep often-used keys around somehow, proxy certificates is not a
solution for your own use of your personal keys and with the exception
of hardware solutions such as smart cards, the keys will be safer in the
kernel than in a user-space daemon...
Further, the mpi and dsa code can also be used for supporting signed
modules and binaries...the "store dsa-keys in kernel" part adds 376
lines of code (counted with wc so comments and includes etc are also
counted)...
Regards,
David
next prev parent reply other threads:[~2006-01-28 16:58 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-26 21:58 [PATCH 00/04] Add DSA key type David Härdeman
2006-01-26 21:58 ` [PATCH 03/04] Add encryption ops to the keyctl syscall David Härdeman
2006-01-26 21:58 ` [PATCH 01/04] Add multi-precision-integer maths library David Härdeman
2006-01-27 9:28 ` Christoph Hellwig
2006-01-27 20:07 ` David Howells
2006-01-27 20:41 ` David Härdeman
2006-01-27 22:19 ` [Keyrings] " Trond Myklebust
2006-01-27 23:35 ` Kyle Moffett
2006-01-28 0:27 ` Adrian Bunk
2006-01-28 3:45 ` Trond Myklebust
2006-01-28 7:17 ` Kyle Moffett
2006-01-28 10:39 ` Adrian Bunk
2006-01-28 0:22 ` Adrian Bunk
2006-01-28 10:46 ` David Härdeman
2006-01-28 13:03 ` Adrian Bunk
2006-01-28 17:09 ` David Härdeman
2006-01-28 16:37 ` [Keyrings] " Trond Myklebust
2006-01-28 16:57 ` David Härdeman [this message]
2006-01-29 3:20 ` Trond Myklebust
2006-01-29 11:33 ` David Härdeman
2006-01-29 12:29 ` Adrian Bunk
2006-01-29 13:09 ` Arjan van de Ven
2006-01-29 20:05 ` Steve French
2006-01-29 20:52 ` Arjan van de Ven
2006-01-29 21:41 ` Steve French
2006-02-06 12:31 ` David Howells
2006-01-29 23:18 ` Adrian Bunk
2006-01-29 13:18 ` David Härdeman
2006-01-29 23:36 ` Adrian Bunk
2006-01-30 18:09 ` Nix
2006-01-29 16:38 ` Trond Myklebust
2006-01-29 18:49 ` Dax Kelson
2006-01-29 19:10 ` Trond Myklebust
2006-01-29 21:29 ` David Härdeman
2006-01-29 21:46 ` Trond Myklebust
2006-01-29 21:13 ` David Härdeman
2006-01-29 21:28 ` Trond Myklebust
2006-01-29 22:02 ` David Härdeman
2006-01-29 22:05 ` Trond Myklebust
2006-01-29 22:54 ` Kyle Moffett
2006-01-29 23:07 ` Trond Myklebust
2006-01-29 23:15 ` Adrian Bunk
2006-01-29 21:09 ` Pavel Machek
2006-01-26 21:58 ` [PATCH 02/04] Add dsa crypto ops David Härdeman
2006-01-26 21:58 ` [PATCH 04/04] Add dsa key type David Härdeman
2006-01-27 1:10 ` [PATCH 00/04] Add DSA " Herbert Xu
2006-01-27 7:18 ` David Härdeman
2006-01-27 20:11 ` David Howells
2006-01-27 23:22 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060128165732.GA8633@hardeman.nu \
--to=david@2gen.com \
--cc=bunk@stusta.de \
--cc=hch@infradead.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.