John M. Harris Jr wrote:
Well, you could theoretically use ssh-agent (or equivalent), without
changing the protocol in any way.
You need protocol support to do this securely. Otherwise, your ssh-agent is
a decryption oracle which can be used by an attacker to decrypt your LUKS
keyfile on demand. The decryption should only be possible as part of the
login process after the server fingerprint has been verified and before
arbitrary application data can be sent.
Kevin Kofler