security - What mechanisms does ssh-agent use to keep unlocked private keys secure in memory? -
i'm working on library make quick access keepassx database files easier power users. right application short-lived in memory security around unencrypted keepass database not huge concern.
however, i'd add ability hold database unlocked period of time in background, similar way keepassx gui does. allow immediate query of passwords without being prompted master password. means there sort of daemon process holds database in memory , communicates client.
it seems security implications of similar of ssh-agent
, , i'm wondering if 'round these parts familiar how project approaches long-term secure storage of sensitive data (namely, unlocked ssh private keys).
perhaps help: man: mlock(2)
note unix domain sockets more secure internet domain sockets since can reached local host and access them can further constrained specific users , groups (using chown
, chgrp
and, of course, chmod
).
Comments
Post a Comment