On Wed, Dec 4, 2019 at 9:24 PM John M. Harris Jr <johnmh(a)splentity.com> wrote:
On Wednesday, December 4, 2019 6:02:07 PM MST Kevin Kofler wrote:
> John M. Harris Jr wrote:
>
> > Well, you could theoretically use ssh-agent (or equivalent), without
> > changing the protocol in any way.
>
>
> You need protocol support to do this securely. Otherwise, your ssh-agent is
> a decryption oracle which can be used by an attacker to decrypt your LUKS
> keyfile on demand. The decryption should only be possible as part of the
> login process after the server fingerprint has been verified and before
> arbitrary application data can be sent.
Oh, of course after fingerprint verification. Luckily, that can be
accomplished by forcing a fake shell which would run a check to see if the
home directory is already mounted. If it's not, it'd use the ssh agent, or
equivalent, then execute the real shell. If it's already mounted, short
circuit to the last step, executing the real shell.
Let's not go too far down the "gummy fingerprint" thread. If a
sophisticated person has your laptop, they probably have your
fingerprints, and very few fingerprint scanners successfully resist a
duplicated and printed fingerprint.