What mechanisms does ssh-agent use to keep unlocked private keys secure in memory?

岁酱吖の 提交于 2019-12-06 09:05:09

问题


I'm working on a library to make quick access to KeepassX database files easier for power users. Right now the application is so short-lived in memory that security around the unencrypted KeePass database is not a huge concern.

However, I'd like to add the ability to hold the database unlocked for a period of time in the background, similar to the way the KeepassX GUI does. This would allow immediate query of passwords without being prompted for the master password. This means there would be sort of daemon process that holds the database in memory and communicates with a client.

It seems that the security implications of this are similar to that of ssh-agent, and I'm wondering if anyone 'round these parts is familiar with how that project approaches the long-term secure storage of sensitive data (namely, unlocked SSH private keys).


回答1:


Perhaps this will help: Man: mlock(2)

Note that UNIX domain sockets are somewhat more secure then Internet domain sockets since they can only be reached from local host and access to them can be further constrained to specific users and groups (using chown and chgrp and, of course, chmod).



来源:https://stackoverflow.com/questions/9650410/what-mechanisms-does-ssh-agent-use-to-keep-unlocked-private-keys-secure-in-memor

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!