Niels M�ller <[EMAIL PROTECTED]> writes:
> comparatively minor problem (this is not necessarily true, but I think
> it is how ssh:s use of unencrypted host keys is justified).
And there is no way for a daemon to use encrypted private keys without
asking the operator on startup to enter the passphrase. Not good for
a server.
> That is also a deliberate decision. I think that it can be a real
> security problem that sensitive data is written out to a swap
> partition. However, I don't see any satisfactory solution on the
But how can an attacker access the swap partition without physical
or root access? And the last thing (getting roo access) is what lsh
is designed to control.
> reason is quite simple: lsh can't know for sure whether or not some
> piece of information is sensitive. In fact, it seems quite likely that
A private key is much more sensitive than all other stuff because
if Eve knows the private key she can mount any attack.
Such private key operations shoud be done by the ssh-agent (or it
could provide "secure" memory for this purpose).
BTW has anyone yet scrutinized the ssh-agent protocal?
> On the other hand, I think it would be fairly straight forward to
> implemente encrypted swap at the OS level, and that this would solve
I think the problem is more a political one. It is not easy to put
encryption into the kernel and export it from the U.S. or even use
the kernel in France. Remember that there is that beast called crypto
with a hole.
> The idea is to have the kernel choose a random key when each process
> is created (this feature could be enabled on a per user or per process
I'd really appreciate this too.
Werner
