On Mon, 2019-12-16 at 22:16 +0800, Matt Johnston wrote: > > > On Fri 13/12/2019, at 2:14 am, Joakim Tjernlund > > <joakim.tjernl...@infinera.com> wrote: > > > > On Thu, 2019-12-12 at 18:34 +0100, Hans Harder wrote: > > > > The bigger issue here is why not reread keys at every new session? > > > > That seems to like the right thing to do in any case? > > > > > > Performance... > > I don't _think_ there would be any performance problem reloading key files > for each session - compared with the key exchange it's not compute intensive. > It's better to keep it simple rather than introduce cache invalidation by > file timestamps where it isn't needed. I'd been considering moving non-inetd > dropbear to use fork/self-exec instead of plain fork() for improved address > space randomisation, that would probably require loading keys each time too. > > That said if I were in the same situation I'd just run "kill `cat > /var/run/dropbear.pid; service dropbear start" or similar when writing > keyfiles - job done. >
Well, these days people wants to regen both host keys and certificates every now and then. I think the community would appreciate if dropbear picked up new keys automatically without being forced to an inetd model. You already have an option to generate keys on the fly(-R) Jocke