On Wednesday, December 4, 2019 6:02:07 PM MST Kevin Kofler wrote:
John M. Harris Jr wrote:
> Well, you could theoretically use ssh-agent (or equivalent), without
> changing the protocol in any way.
You need protocol support to do this securely. Otherwise, your ssh-agent is
a decryption oracle which can be used by an attacker to decrypt your LUKS
keyfile on demand. The decryption should only be possible as part of the
login process after the server fingerprint has been verified and before
arbitrary application data can be sent.
Oh, of course after fingerprint verification. Luckily, that can be
accomplished by forcing a fake shell which would run a check to see if the
home directory is already mounted. If it's not, it'd use the ssh agent, or
equivalent, then execute the real shell. If it's already mounted, short
circuit to the last step, executing the real shell.
--
John M. Harris, Jr.
Splentity