
OpenSSH Key Shielding - zdw
https://xorhash.gitlab.io/xhblog/0010.html
======
thinkmassive
This sounds like good news for automated cloud systems that connect via ssh
(like jenkins agents), where holding SSH keys in memory is an undesirable but
necessary compromise made in favor of usability.

Security conscious users should be using a gpg smartcard for authentication,
in which case the private keys are never held in RAM and shouldn't be
susceptible to this type of attack in the first place.

~~~
beefhash
You may be glad to hear that OpenBSD has been working on supporting security
keys natively in OpenSSH, which should hopefully obviate the need to depend on
GPG for hardware token solutions. See for example
[https://github.com/openbsd/src/commit/094c80e0a523faf92a99f6...](https://github.com/openbsd/src/commit/094c80e0a523faf92a99f63ea2e05353f5028597)

~~~
thinkmassive
Oooh so we will eventually be able to use simple (and less expensive) U2F
devices for SSH authentication? This is wonderful news!

~~~
gnufx
There were security concerns voiced under
[https://news.ycombinator.com/item?id=21417182](https://news.ycombinator.com/item?id=21417182)
I don't know whether they got addressed.

------
dijit
Hate being the guy who complains about this. But this is very difficult to
read on mobile. Reader mode is unable to comprehend the text either.

[https://imgur.com/a/iAJTBvl](https://imgur.com/a/iAJTBvl)

~~~
m-p-3
I curated and cleaned the article of double spaces and remade it in markdown

[https://gist.github.com/m-p-3/266d228113cd9eb5db0e14b338cbe5...](https://gist.github.com/m-p-3/266d228113cd9eb5db0e14b338cbe5ae)

