linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: "David Härdeman" <david@2gen.com>
Cc: Adrian Bunk <bunk@stusta.de>,
	Christoph Hellwig <hch@infradead.org>,
	keyrings@linux-nfs.org, linux-kernel@vger.kernel.org
Subject: Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library
Date: Sat, 28 Jan 2006 11:37:51 -0500	[thread overview]
Message-ID: <1138466271.8770.77.camel@lade.trondhjem.org> (raw)
In-Reply-To: <20060128104611.GA4348@hardeman.nu>

On Sat, 2006-01-28 at 11:46 +0100, David Härdeman wrote:

> Not necessarily, if you have your ssh-keys in ssh-agent, a compromise of 
> your account (forgot to lock the screen while going to the bathroom? 
> did the OOM-condition occur which killed the program which locks the
> screen? remote compromise of the system? local compromise?) means that a large 
> array of attacks are possible against the daemon.
> 
> In addition, as stated before, the "backup" account, or whatever user the 
> daemon which wants to sign stuff with your key is running as, might be 
> compromised.
> 
> Currently, if you want to give the daemon access to the keys via 
> ssh-agent (or something similar), you have to change the permissions on 
> the ssh-agent socket to be much less restricted (especially since it's 
> unlikely that you have permission to change the uid or gid of the socket 
> to that of the daemon). Alternatively you can provide the backup daemon 
> with the key directly (via fs, or loaded somehow at startup...etc), but 
> then a compromise of the daemon means that the attacker has the private 
> key.
> 
> Finally, the in-kernel system also provides a mechanism for the daemon 
> to request the key when it is needed should it realize that the proper 
> key is missing/has changed/whatever.

Then fix ssh, not the kernel. As I said before, this is a problem that
has been solved entirely in userspace by means of proxy certificates:
they allow the user to issue time-limited certificates that are signed
by the original certificate (hence can be authenticated as such), and
that authorise a service to do a specific thing.

Cheers,
  Trond


  parent reply	other threads:[~2006-01-28 16:39 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-01-26 21:58 [PATCH 00/04] Add DSA key type David Härdeman
2006-01-26 21:58 ` [PATCH 03/04] Add encryption ops to the keyctl syscall David Härdeman
2006-01-26 21:58 ` [PATCH 02/04] Add dsa crypto ops David Härdeman
2006-01-26 21:58 ` [PATCH 01/04] Add multi-precision-integer maths library David Härdeman
2006-01-27  9:28   ` Christoph Hellwig
2006-01-27 20:07   ` David Howells
2006-01-27 20:41     ` David Härdeman
2006-01-27 22:19       ` [Keyrings] " Trond Myklebust
2006-01-27 23:35         ` Kyle Moffett
2006-01-28  0:27           ` Adrian Bunk
2006-01-28  3:45           ` Trond Myklebust
2006-01-28  7:17             ` Kyle Moffett
2006-01-28 10:39               ` Adrian Bunk
2006-01-28  0:22       ` Adrian Bunk
2006-01-28 10:46         ` David Härdeman
2006-01-28 13:03           ` Adrian Bunk
2006-01-28 17:09             ` David Härdeman
2006-01-28 16:37           ` Trond Myklebust [this message]
2006-01-28 16:57             ` [Keyrings] " David Härdeman
2006-01-29  3:20               ` Trond Myklebust
2006-01-29 11:33                 ` David Härdeman
2006-01-29 12:29                   ` Adrian Bunk
2006-01-29 13:09                     ` Arjan van de Ven
2006-01-29 20:05                       ` Steve French
2006-01-29 20:52                         ` Arjan van de Ven
2006-01-29 21:41                           ` Steve French
2006-02-06 12:31                         ` David Howells
2006-01-29 23:18                       ` Adrian Bunk
2006-01-29 13:18                     ` David Härdeman
2006-01-29 23:36                       ` Adrian Bunk
2006-01-30 18:09                         ` Nix
2006-01-29 16:38                   ` Trond Myklebust
2006-01-29 18:49                     ` Dax Kelson
2006-01-29 19:10                       ` Trond Myklebust
2006-01-29 21:29                         ` David Härdeman
2006-01-29 21:46                           ` Trond Myklebust
2006-01-29 21:13                     ` David Härdeman
2006-01-29 21:28                       ` Trond Myklebust
2006-01-29 22:02                         ` David Härdeman
2006-01-29 22:05                           ` Trond Myklebust
2006-01-29 22:54                             ` Kyle Moffett
2006-01-29 23:07                               ` Trond Myklebust
2006-01-29 23:15                               ` Adrian Bunk
2006-01-29 21:09           ` Pavel Machek
2006-01-26 21:58 ` [PATCH 04/04] Add dsa key type David Härdeman
2006-01-27  1:10 ` [PATCH 00/04] Add DSA " Herbert Xu
2006-01-27  7:18   ` David Härdeman
2006-01-27 20:11   ` David Howells
2006-01-27 23:22     ` Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1138466271.8770.77.camel@lade.trondhjem.org \
    --to=trond.myklebust@fys.uio.no \
    --cc=bunk@stusta.de \
    --cc=david@2gen.com \
    --cc=hch@infradead.org \
    --cc=keyrings@linux-nfs.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).